tell-me
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It processes untrusted conversation history into a summary and interpolates that summary directly into a shell command for execution. An attacker could craft conversation content that, when summarized, contains shell metacharacters (e.g., ;, &, or backticks) to execute unauthorized commands on the host. \n
- Ingestion points: The '总结对话' (Summarize conversation) step in
SKILL.mdprocesses the current conversation history as input. \n - Boundary markers: The skill lacks delimiters or explicit instructions to ignore potentially malicious commands embedded within the conversation text. \n
- Capability inventory: The skill utilizes
nodevia a shell command to execute thesend.jsscript with summary parameters. \n - Sanitization: There is no evidence of sanitization, escaping, or validation of the summary text before it is interpolated into the shell command string. \n- [COMMAND_EXECUTION]: The skill relies on the execution of a local Node.js script using shell commands. This capability, combined with untrusted input from dialogue summaries, creates a significant attack surface for command injection if the agent's shell execution environment does not handle quoting and escaping securely. \n- [DATA_EXFILTRATION]: The
send.jsscript transmits conversation summaries to an external Feishu webhook URL. While intended for legitimate notifications, the destination is configurable (viaconfig.jsonor by following the instructions in配置SOP.md), which could be abused to send sensitive dialogue data to an arbitrary, attacker-controlled endpoint.
Audit Metadata