pp-amazon-seller
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the 'amazon-seller-pp-cli' binary via 'npx' from the npm registry and 'go install' from the vendor's GitHub repository.
- [COMMAND_EXECUTION]: The skill operates by executing shell commands using the 'amazon-seller-pp-cli' binary.
- [DATA_EXFILTRATION]: The skill documents the '--deliver webhook:' feature and the 'feedback --send' command, which enable the transmission of data to arbitrary network endpoints.
- [PROMPT_INJECTION]: The skill processes untrusted data from the Amazon Seller API (catalog items, listings, and orders) which could serve as an indirect prompt injection vector.
- Ingestion points: Amazon API data fetched via 'catalog', 'listings', and 'orders' commands in 'SKILL.md'.
- Boundary markers: No delimiters or ignore instructions are specified for processed data.
- Capability inventory: The skill can execute subprocesses, write to the file system, and make network requests.
- Sanitization: No sanitization or validation of the fetched Amazon data is mentioned in 'SKILL.md'.
Audit Metadata