Skills
skills/dinghaoz/skills/handoff/Gen Agent Trust Hub

handoff

Warn

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains several instructions designed to override the agent's standard turn-taking and safety behaviors.
  • It mandates an indefinite loop ("CRITICAL: This is an INDEFINITE loop that NEVER exits") and uses "ABSOLUTE RULE" markers to prevent the agent from terminating the session.
  • It includes instructions intended to survive context compaction by being placed in recovery sections, effectively acting as a persistent secondary system prompt.
  • [PROMPT_INJECTION]: The skill presents a large attack surface for Indirect Prompt Injection (Category 8).
  • Ingestion points: Untrusted text, images, and files are ingested from Lark via wait_for_reply.py and handoff_ops.py.
  • Boundary markers: Absent. The agent is explicitly told to "Treat the Lark reply as if the user typed it in the CLI."
  • Capability inventory: The agent has access to Bash, Read, Edit, Write, and Task tools while processing these inputs.
  • Sanitization: No sanitization or escaping is performed on external content before it enters the agent's context.
  • Guest Access: The skill includes a "guest whitelist" feature allowing third parties to interact with the agent. While the instructions suggest reduced privileges for guests, the agent still processes their natural language input, creating a vector for unauthorized command execution.
  • [COMMAND_EXECUTION]: The skill frequently requires the use of dangerouslyDisableSandbox: true for Bash commands. While this is necessary for the skill's network functionality (interacting with Lark and Cloudflare), it removes standard security isolation layers.
  • [COMMAND_EXECUTION]: The setup process (SKILL-setup.md) involves automated execution of global package installations (npm install -g wrangler) and infrastructure deployment commands.
  • [DATA_EXFILTRATION]: The skill's on_post_tool_use.py hook automatically forwards tool outputs, including Bash results, file edits, and diffs, to the external Lark platform. If the agent accesses sensitive files or environment variables during a session, this data will be automatically transmitted to the third-party chat group.
  • [EXTERNAL_DOWNLOADS]: The skill downloads images and files from Lark's official servers (open.larksuite.com) during the interaction loop. While Lark is a well-known service, these files are processed directly by the agent's tools.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 6, 2026, 12:37 PM