affiliate-program
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: An Indirect Prompt Injection surface was identified in the
trackAffiliateClickfunction provided inSKILL.mdregarding unvalidated redirects.\n - Ingestion points: The function processes untrusted data from the
req.query.redirectparameter.\n - Boundary markers: There are no boundary markers or host-validation logic implemented to restrict the redirect destination.\n
- Capability inventory: The script uses the
res.redirect()capability to forward users to arbitrary external locations and performs database write operations to log click events.\n - Sanitization: The provided code snippet lacks sanitization or validation for the redirect URL, creating a surface for Open Redirect attacks.\n- [EXTERNAL_DOWNLOADS]: The skill recommends the use of reputable third-party applications and plugins from well-known platforms, such as Refersion and UpPromote from the Shopify App Store, and AffiliateWP for WooCommerce platforms.
Audit Metadata