linkfox-onboarding

Warn

Audited by Gen Agent Trust Hub on Jul 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to modify user shell configuration files (e.g., ~/.zshrc, ~/.bashrc) and use the Windows setx command to permanently store API keys in the environment. This behavior constitutes a persistence mechanism.
  • Evidence: SKILL.md contains explicit command templates for appending export statements to shell RC files and executing setx to update the registry-based environment.
  • [DATA_EXFILTRATION]: The skill collects and transmits user-provided authentication data, including phone numbers and SMS verification codes, to external LinkFox API endpoints.
  • Evidence: Scripts login_and_get_key.py and send_verify_code.py utilize the requests library to send user-supplied credentials to api.linkfox.com and agent-api.linkfox.com.
  • [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by ingesting untrusted data and using it to drive sensitive operations.
  • Ingestion points: User-supplied phone numbers and verification codes (documented in SKILL.md step 3).
  • Boundary markers: Absent; there are no instructions for the agent to delimit or ignore potentially malicious instructions embedded within the user's phone or code responses.
  • Capability inventory: Shell command execution (via Claude Code bash), file system writing (QR codes and shell profiles), and network operations (Python requests).
  • Sanitization: Absent; the skill relies on the agent to pass user input directly as arguments to Python scripts.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of third-party Python packages (requests, qrcode, pillow) from external registries to support its functionality.
  • Evidence: The Dependencies section in SKILL.md explicitly lists these packages and their installation commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 15, 2026, 12:18 PM