lark-wiki
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains a direct instruction to bypass safety measures by using 'dangerouslyDisableSandbox: true' for Bash operations.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection through document processing. It ingests untrusted data from external Lark wiki pages and document blocks without any sanitization or boundary markers.\n
- Ingestion points: scripts/lark_wiki.py (cmd_read and cmd_blocks functions).\n
- Boundary markers: None present; content is processed directly as text or JSON.\n
- Capability inventory: The skill can execute shell commands, create/modify wiki pages, manage document permissions, and access the network.\n
- Sanitization: No validation or filtering is applied to content retrieved from Lark APIs.\n- [CREDENTIALS_UNSAFE]: The 'init' command in scripts/lark_wiki.py collects Lark App IDs and App Secrets and saves them in plain text in the ~/.lark-wiki/config.json file.\n- [EXTERNAL_DOWNLOADS]: The skill requires the external 'playwright' package and subsequently downloads browser binaries (Chromium) from remote servers at runtime via 'python3 -m playwright install chromium'.\n- [DATA_EXFILTRATION]: The skill reads local configuration and session data and transmits it to the larksuite.com domain (or a user-defined domain via LARK_BASE).\n- [COMMAND_EXECUTION]: The skill relies on the execution of multiple Python scripts and automated browser processes that have broad access to the local environment.
Recommendations
- AI detected serious security threats
Audit Metadata