ziniao-workflow-store-patrol
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill employs high-urgency directives ('CRITICAL — 开始前 MUST') to force the agent to read external context files (
../ziniao-shared/SKILL.md) before execution. While intended to ensure necessary dependencies are loaded, these patterns represent a strong steer of agent behavior. - [COMMAND_EXECUTION]: The skill relies on the execution of the
ziniao-clibinary to perform all core functions, including store management and browser automation. These commands run with the permissions of the local user. - [DATA_EXFILTRATION]: The primary purpose of the skill is the extraction of business data from authenticated sessions (Amazon Seller Central). It uses
page screenshot,page content, andpage extractto gather sensitive information, which is then compiled into reports. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it ingests untrusted content from external web pages via extraction tools.
- Ingestion points:
ziniao-cli page extract,page content, andpage queryinSKILL.md. - Boundary markers: None identified; extracted data is processed without explicit delimiters or 'ignore' instructions.
- Capability inventory: The skill can execute shell commands via
ziniao-cliand write to the local file system (e.g.,./patrol/directory). - Sanitization: No evidence of sanitization or validation of the content scraped from web pages before the agent processes it.
Audit Metadata