Back to skill

Security audit

亚马逊-店铺定价

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Amazon pricing queries, but it handles store credentials and saves full responses locally in ways users should review before installing.

Install only if you trust LinkFox with Amazon SP-API access tokens and seller pricing data. Review the configured gateway environment variables, understand that full responses may be saved locally, and clean the linkfox session data after use if it contains sensitive business information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of environment variables, local file writes, network calls, and shell execution, yet declares no permissions. This creates a transparency and policy-enforcement gap: a host may invoke the skill without understanding it can access credentials, write persistent artifacts, and contact external services.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill says earlier that usage consumes credits and warns not to continue probing without user notice, but later states '不消耗积分'. Contradictory billing guidance can mislead an agent into making unintended paid requests or misrepresenting cost to the user.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The helper persistently writes full API responses to local files under a session directory, even though the skill is described as a pricing/proxy tool rather than a data archival component. Because these responses may contain pricing intelligence, seller identifiers, tokens, request metadata, or other sensitive business data, this creates unnecessary at-rest exposure and increases the blast radius if the host, workspace, or temp directory is accessible to other users or processes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is broad, covering many generic pricing-related phrases, which increases the chance of accidental activation in unrelated contexts. Over-broad activation can cause unnecessary external API calls, credential use, and data handling for prompts that did not intend to invoke this skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits seller identifiers and an Amazon access token to a configured external gateway endpoint, with the destination partially controlled by environment variables. In a skill context, this is sensitive cross-boundary data handling; if the gateway is misconfigured, compromised, or replaced via environment manipulation, credentials and store metadata could be exposed to an unintended party.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This script sends seller identifiers to /spApi/storeTokens and then forwards an Amazon access token to /spApi/developerProxy, but the file itself provides no explicit user-facing notice, consent flow, or minimization controls around that transmission. In a pricing skill this data flow is expected for functionality, but it still increases privacy and credential-handling risk because sensitive identifiers and bearer-like tokens traverse an external gateway service.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill mandates saving complete API responses to session-linked local files under the working directory. Pricing responses and related metadata may contain seller identifiers, marketplace data, request details, or other sensitive business information that persists beyond the immediate task and may be exposed to other processes or users with workspace access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.