linkfox-onboarding
Warn
Audited by Gen Agent Trust Hub on Jul 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to modify user shell configuration files (e.g.,
~/.zshrc,~/.bashrc) and use the Windowssetxcommand to permanently store API keys in the environment. This behavior constitutes a persistence mechanism. - Evidence:
SKILL.mdcontains explicit command templates for appendingexportstatements to shell RC files and executingsetxto update the registry-based environment. - [DATA_EXFILTRATION]: The skill collects and transmits user-provided authentication data, including phone numbers and SMS verification codes, to external LinkFox API endpoints.
- Evidence: Scripts
login_and_get_key.pyandsend_verify_code.pyutilize therequestslibrary to send user-supplied credentials toapi.linkfox.comandagent-api.linkfox.com. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by ingesting untrusted data and using it to drive sensitive operations.
- Ingestion points: User-supplied phone numbers and verification codes (documented in
SKILL.mdstep 3). - Boundary markers: Absent; there are no instructions for the agent to delimit or ignore potentially malicious instructions embedded within the user's phone or code responses.
- Capability inventory: Shell command execution (via Claude Code bash), file system writing (QR codes and shell profiles), and network operations (Python
requests). - Sanitization: Absent; the skill relies on the agent to pass user input directly as arguments to Python scripts.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of third-party Python packages (
requests,qrcode,pillow) from external registries to support its functionality. - Evidence: The
Dependenciessection inSKILL.mdexplicitly lists these packages and their installation commands.
Audit Metadata