amazon-asin-lookup-api-skill
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The script
scripts/amazon_asin_lookup_api.pymakes network requests to the vendor's official domainapi.browser-act.comto initiate tasks and retrieve product data. - [DATA_EXFILTRATION]: The skill transmits the
BROWSERACT_API_KEY(retrieved from environment variables) and user-supplied product identifiers (ASIN) to the vendor's API endpoint. This is standard functionality for the service and occurs within the author's own infrastructure. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests untrusted product data (such as descriptions and reviews) from Amazon via an API call in
scripts/amazon_asin_lookup_api.py. There are no boundary markers or sanitization procedures implemented to prevent malicious instructions embedded in that product data from influencing the agent's behavior. The script's capabilities are limited to network requests and standard output.
Audit Metadata