newegg-shell-shocker
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches flash deal information from Newegg's official API, which is consistent with the skill's stated purpose and targets a well-known service.
- [COMMAND_EXECUTION]: Utilizes the bash tool to execute a curl command. The command is hardcoded to a specific official endpoint and does not involve risky shell operations or unsanitized input.
- [PROMPT_INJECTION]: The skill processes external data from Newegg, creating a surface for potential indirect prompt injection. Evidence: (1) Ingestion points: JSON response from newegg.com. (2) Boundary markers: None explicitly used. (3) Capability inventory: bash (for curl) and read_file. (4) Sanitization: No explicit validation or escaping of API-returned text is performed.
Audit Metadata