linkfox-dld-product-billboard

Pass

Audited by Gen Agent Trust Hub on May 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes a Python script (scripts/dld_product_billboard.py) used to process query parameters and interface with the 1688 ranking API. The script uses standard libraries and manages authentication securely via environment variables.\n- [EXTERNAL_DOWNLOADS]: The skill fetches data from vendor-managed endpoints at tool-gateway.linkfox.com and provides a feedback channel via skill-api.linkfox.com. These interactions are restricted to the service provider's infrastructure and are necessary for the skill's operation.\n- [PROMPT_INJECTION]: The skill processes external data from the 1688 platform, creating a surface for indirect prompt injection. 1. Ingestion points: Product titles, shop names, and descriptions returned from the API. 2. Boundary markers: No specific delimiters are used when displaying retrieved content to the user. 3. Capability inventory: Python script execution (command execution) and network access. 4. Sanitization: No explicit sanitization or filtering of external content is performed. This is considered a characteristic of data-intensive tools and is documented here for awareness.
Audit Metadata
Risk Level
SAFE
Analyzed
May 30, 2026, 12:05 AM