linkfox-sellersprite-competitor-lookup

Pass

Audited by Gen Agent Trust Hub on Jul 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation instructs the agent to download and install an onboarding tool from 'https://agent-files.linkfox.com/skills/linkfox-onboarding/release.zip' if the required API keys are not present. This resource originates from the vendor's infrastructure.
  • [COMMAND_EXECUTION]: The skill executes a local Python script ('scripts/sellersprite_competitor_lookup.py') to process user parameters and perform network requests to the SellerSprite API.
  • [DATA_EXFILTRATION]: The skill sends product search parameters to 'tool-gateway.linkfox.com' and transmits operational feedback to 'skill-api.linkfox.com'. These actions are consistent with the skill's stated purpose of providing competitor intelligence.
  • [CREDENTIALS_UNSAFE]: The Python script retrieves authentication tokens from environment variables ('LINKFOX_AGENT_API_KEY' or 'LINKFOXAGENT_API_KEY'). This follows best practices for secret management in agentic workflows and avoids hardcoded credentials.
  • [PROMPT_INJECTION]: The skill processes external product data such as Amazon titles, category names, and brand info retrieved from the SellerSprite API. This creates a surface for indirect prompt injection if listing content contains malicious instructions, which is a common risk for data-retrieval skills.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 16, 2026, 08:08 AM