linkfox-echotik-list-new-product-rank

Fail

Audited by Snyk on Jul 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). The agent-files.linkfox.com entry is a direct downloadable release.zip that the skill instructs to install (an explicit install instruction for an archive), which is a common malware distribution vector and should be treated as suspicious until verified and authorized by the user.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). Outsider-authored free text can enter the LLM context via the runtime API response body from the external TikTok Shop ranking endpoint (call_api() reads arbitrary json.loads(response.read()) and then prints either full JSON to stdout or a summary that includes sample product titles/fields), which the agent may pass into the LLM.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's runtime remediation steps tell the agent to download and install remote code from https://agent-files.linkfox.com/skills/linkfox-onboarding/release.zip when onboarding.md is missing, meaning the URL would be fetched at runtime to install an onboarding skill that controls agent guidance.

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 16, 2026, 08:08 AM
Issues
3