shopee
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The script uses the
browser-cookie3library to extract session cookies for the.shopee.com.brdomain from the user's browser profiles. These cookies are stored locally in.cookies_cache.jsonto facilitate scraping and are not transmitted to any unauthorized external domains. - [COMMAND_EXECUTION]: The skill executes the
Xvfbbinary viasubprocess.Popento create a virtual display for browser automation on Linux and macOS systems. - [EXTERNAL_DOWNLOADS]: The setup process involves running
camoufox fetch, which downloads browser binaries and geodata from official Camoufox sources to support stealth browsing capabilities. This is a standard operation for browser automation tools. - [PROMPT_INJECTION]: The skill fetches product data from Shopee Brazil, creating an indirect prompt injection surface as untrusted content is processed without explicit sanitization or boundary markers. Ingestion points:
scripts/shopee.py(via Shopee API and HTML responses); Boundary markers: None present for scraped content; Capability inventory:subprocess.PopenandCamoufoxbrowser-based networking; Sanitization: No explicit sanitization or escaping of external text content detected.
Audit Metadata