Skills
skills/neweggai/newegg_skills/newegg-pc-builder/Gen Agent Trust Hub

newegg-pc-builder

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script scripts/mcp_client.py to communicate with the Newegg MCP service. This script is used for discovering available tools and sending user queries to the API.
  • [DATA_EXFILTRATION]: The skill performs network operations to the vendor-owned endpoint https://apis.newegg.com/ex-mcp/endpoint/pcbuilder. This communication is essential for the skill's functionality and targets legitimate vendor infrastructure.
  • [DATA_EXPOSURE]: The mcp_client.py script contains functionality to read content from local files when arguments are prefixed with @ (e.g., @args.json). This feature is documented as a workaround for quoting limitations in Windows environments, though it allows the script to read any local file path provided by the agent.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data from the Newegg API which could theoretically contain instructions intended to influence the agent's behavior.
  • Ingestion points: API responses are received and parsed in scripts/mcp_client.py then presented to the agent in SKILL.md (Step 4).
  • Boundary markers: Absent; there are no specific delimiters or instructions for the agent to ignore commands within the returned product or build data.
  • Capability inventory: The skill allows shell execution of the mcp_client.py script, which involves network access to Newegg's API.
  • Sanitization: None; the script parses the API's JSON/SSE response and prints it directly for agent interpretation.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 01:53 AM