feishu-doc
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It reads content from external documents and chat messages using
cmd_readandcmd_read_chatinfeishu_doc.pyand provides this untrusted data to the agent without sanitization or boundary markers. This is critical because the skill grants the agent extensive write and delete capabilities across the Feishu platform. - Ingestion points:
feishu_doc.py(functions:cmd_read,cmd_read_chat,cmd_wiki_tree). - Boundary markers: None identified in
SKILL.mdorfeishu_doc.pyto separate untrusted data from instructions. - Capability inventory:
feishu_doc.py(functions:cmd_create,cmd_append,cmd_overwrite,cmd_update_block,cmd_delete_block,cmd_notify,cmd_send). - Sanitization: No sanitization or filtering of input content is performed before processing.
- [COMMAND_EXECUTION]: The skill invokes external CLI tools (
feishu-docx) usingsubprocess.runinfeishu_doc.py. While it correctly uses the list-based argument format to mitigate shell injection, it passes user-supplied URLs and directory paths directly to these external processes. - [CREDENTIALS_UNSAFE]: Authentication credentials, including the
app_secretand generated OAuthaccess_token, are stored in plain text files (config.yamlanduser_token.json) within the skill directory. This poses a risk if the environment where the skill is deployed is shared or insufficiently secured.
Audit Metadata