linkfox-shopee-store-orders

Fail

Audited by Snyk on Jul 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). The URLs are mostly official Shopee docs and internal LinkFox endpoints, but one entry points to a direct ZIP download (https://agent-files.linkfox.com/skills/linkfox-onboarding/release.zip… ) hosted outside standard package managers — direct archive downloads for installing software are a higher-risk distribution vector and could contain executables/malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). 该 skill 在运行时通过 call_api() 调用外部网关 /shopee/developerProxy 获取响应体,并在 emit_result() 中将该响应(可能包含外部/第三方返回的自由文本字段)直接打印到 stdout(小响应)或摘要打印到 stdout(大响应),从而进入代理/LLM 的上下文;属于“外部 API 返回内容(非用户选择引入的文本)”类别。

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 16, 2026, 08:09 AM
Issues
2