linkfox-shopee-store-add-on-deal

Fail

Audited by Snyk on Jul 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 1.00). One URL is a direct ZIP download hosted on agent-files.linkfox.com with explicit instructions to download and install the skill (and to prompt the user for authorization), which matches high-risk patterns for distributing executables from a non-standard/personal file host.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). 该技能在运行时通过 call_api() 调用外部 DEVELOPER_PROXY_ENDPOINT/shopee/developerProxy)并将其返回的 JSON 解析后在 emit_result() 中打印到 stdout/摘要,从而把“外部接口返回的自由文本/字段内容”(可包含注入性字符串)喂入 LLM 上下文。

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 16, 2026, 08:09 AM
Issues
2