sheets-report
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill communicates with the official Feishu/Lark API endpoints (open.feishu.cn). This is a well-known and trusted service provider. The communication is strictly for spreadsheet management as described in the skill's purpose.
- [DATA_EXFILTRATION]: The skill uses a sensitive credential (LARK_TENANT_TOKEN) retrieved from the environment. Technical analysis shows the token is only used in the Authorization header for requests sent to the official Feishu API. There is no evidence of this token or other sensitive data being sent to unauthorized third-party domains.
- [COMMAND_EXECUTION]: No use of dangerous functions like os.system, subprocess.run, or eval for executing shell commands was found. The script uses standard library functions for network requests and data processing.
- [PROMPT_INJECTION]: The skill accepts parameters like title and spreadsheet_token which may originate from user input. While the skill documentation encourages automated execution based on context, the data is processed using structured JSON formats when calling the API, which reduces the risk of malicious payload execution.
Audit Metadata