Back to skill

Security audit

亚马逊-店铺订单

Security checks across malware telemetry and agentic risk

Overview

This Amazon Orders skill is purpose-aligned but should be reviewed because it can read sensitive order data, change order/shipment state, and automatically saves full API responses locally.

Install only if you trust LinkFox with your Amazon seller order workflow and are comfortable with full order responses being saved locally. Use it from a private workspace, avoid broad buyer/address requests unless needed, review saved linkfox data files for retention, and require explicit human confirmation before running shipment or verification update scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents use of environment variables, shell scripts, network calls, and file writes, but it does not declare permissions or clearly scope those capabilities. This undermines least privilege and makes it harder for users or the hosting system to assess what the skill can access before activation.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file states both that the tool consumes credits and later that it does not consume credits, which is a security-relevant documentation inconsistency. Contradictory billing behavior can mislead users into authorizing repeated operations or broad searches they would not otherwise permit, especially where API calls touch sensitive order data.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The shared emit_result() helper serializes and saves full API responses to local disk, and this Orders skill can handle buyer info, shipping address, and order details. That creates persistent local storage of sensitive commerce and PII data beyond the apparent need to proxy SP-API calls, increasing exposure through host compromise, multi-user access, backups, or accidental disclosure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This helper implements session directories, indexing, metadata tracking, and archival of outputs, which materially expands data retention and collection behavior beyond a simple API helper. In the context of Amazon Orders data, such archival infrastructure increases the chance that sensitive order and buyer information is accumulated and retained without strong justification or controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs that full API responses are always written to disk, including order, buyer, and address-related data, without requiring explicit user consent or providing a clear privacy warning at the time of use. Persisting sensitive commerce and PII data in session-linked local files increases the risk of unauthorized access, over-retention, accidental inclusion in project context, and downstream leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly describes APIs for retrieving buyer information, shipping addresses, and order item buyer info, which are sensitive personal data, but does not provide clear user-facing privacy warnings, access restrictions, or handling requirements beyond a brief technical note about RDT and deprecated status. In an agent skill context, this increases the risk that downstream users or implementers will invoke PII-bearing endpoints without understanding consent, minimization, retention, and redaction obligations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes response data to disk automatically and prints the saved path, but there is no visible user-facing warning or consent mechanism in this file. Because responses may include buyer and address data from Orders APIs, silent persistence undermines transparency and can violate least-expectation and data-handling requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script retrieves a customer's shipping address from the Amazon Orders API and emits it directly in the result output, without any explicit minimization, warning, redaction, or secondary authorization check. Because shipping addresses are sensitive personal data, exposing them through a general-purpose skill increases the risk of unnecessary disclosure to downstream tools, logs, or users who may not need full address details.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script retrieves buyer information from the Amazon Orders API and sends it over the network via the developer proxy, but the file contains no privacy guardrails such as explicit authorization checks tied to the specific PII action, data-minimization controls, masking, or user-facing disclosure. In the context of buyerInfo, which can contain sensitive customer data and may require a Restricted Data Token, this increases the risk of unnecessary exposure or misuse of PII if invoked by an authorized-but-overbroad workflow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This script retrieves regulated order information, which can include sensitive compliance- and customer-related order data, but it performs the access silently with no user-facing disclosure, confirmation, or justification step. In an agent skill context, that increases the risk of over-collection or unintended exposure of sensitive order data when a user invokes a broad order-related request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script performs a state-changing external API call to Amazon's Orders API to update shipment status, but it contains no built-in confirmation, dry-run mode, or user-facing mutation warning before executing the write. In an agent context, this raises the risk of accidental or prompt-induced order state changes, which could incorrectly mark orders as ready for pickup, picked up, or refused, causing operational and customer-impacting issues.

Ssd 3

Medium
Confidence
97% confidence
Finding
The mandated persistence of complete API responses into predictable, session-linked local paths creates a clear data-handling vulnerability for sensitive order and buyer information. In this context, the danger is elevated because the skill interfaces with Amazon Orders APIs, including buyer info and shipping address endpoints, so stored files may contain regulated or restricted personal data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.