ziniao-workflow-store-patrol

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill employs high-urgency directives ('CRITICAL — 开始前 MUST') to force the agent to read external context files (../ziniao-shared/SKILL.md) before execution. While intended to ensure necessary dependencies are loaded, these patterns represent a strong steer of agent behavior.
  • [COMMAND_EXECUTION]: The skill relies on the execution of the ziniao-cli binary to perform all core functions, including store management and browser automation. These commands run with the permissions of the local user.
  • [DATA_EXFILTRATION]: The primary purpose of the skill is the extraction of business data from authenticated sessions (Amazon Seller Central). It uses page screenshot, page content, and page extract to gather sensitive information, which is then compiled into reports.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it ingests untrusted content from external web pages via extraction tools.
  • Ingestion points: ziniao-cli page extract, page content, and page query in SKILL.md.
  • Boundary markers: None identified; extracted data is processed without explicit delimiters or 'ignore' instructions.
  • Capability inventory: The skill can execute shell commands via ziniao-cli and write to the local file system (e.g., ./patrol/ directory).
  • Sanitization: No evidence of sanitization or validation of the content scraped from web pages before the agent processes it.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:44 AM