Back to skill

Security audit

亚马逊-店铺A+页面

Security checks across malware telemetry and agentic risk

Overview

This Amazon A+ Content skill matches its stated purpose, but it can change live storefront content and automatically saves full API responses locally with imperfect scope and cost disclosure.

Install only if you are comfortable giving this skill access to manage Amazon A+ Content through LinkFox. Use it in a private workspace, confirm every create/update/approval/suspend/ASIN-replacement action, and inspect saved files under linkfox directories because full API responses may remain on disk. Be especially careful with ASIN replacement: submit the complete intended ASIN set, not only additions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities to read environment variables, write files under the current working directory, invoke Python scripts, and make proxied network requests, yet no explicit permission declaration is present. This creates a transparency and policy-enforcement gap: users or hosting frameworks may not realize the skill can access secrets, persist potentially sensitive API responses locally, and reach external services through shell-invoked scripts.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation says the tool '会消耗积分' and instructs the agent not to auto-retry because of extra cost, but later states '不消耗积分'. Contradictory billing guidance is a security-relevant integrity issue because it can mislead users into approving actions under false assumptions, especially when the skill performs networked write operations and repeated calls may have financial or operational consequences.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This module includes a generic archival subsystem that persistently stores full API responses and session metadata under local directories unrelated to the narrow A+ Content helper purpose. Because SP-API responses may contain sensitive business data and possibly tokens or identifiers proxied through the gateway, indiscriminate local retention increases the attack surface and creates a confidentiality risk if the host is shared or later compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document states that posting ASIN relations performs a full replacement and may suspend content on removed ASINs, but it does not elevate this into a prominent caution, confirmation, or safe-operation procedure. In an agent skill that automates Amazon store operations, this can cause unintended bulk detachment or suspension of live A+ content if a caller supplies a partial ASIN set or misunderstands the API semantics.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The result emitter writes full serialized API responses to disk and may also print them inline, without any redaction or explicit consent gate. In the context of a store-management skill handling Amazon business content and auth-derived API access, this can leak sensitive operational data to local storage, logs, terminal history, or other users on the same machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script performs a destructive full replacement of A+ content ASIN relations, and the docstring explicitly notes that removed ASINs will have their display suspended. Because there is no runtime confirmation, dry-run, diff preview, or guardrail for bulk removals, an accidental or malformed input can immediately unpublish content across products. In the context of a store-management skill that directly calls SP-API write endpoints, this is more dangerous because the operation is legitimate and high-impact, making operator mistakes more likely to cause real business disruption.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting and optionally echoing full API responses creates a straightforward data retention and disclosure path. Even if access tokens are not intentionally logged, proxied response bodies, seller metadata, content documents, or error payloads can contain sensitive data that remains readable on disk and may later be exposed through backups, shared workspaces, or support logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.