Skills
skills/dreasky/feishu-skill/feishu/Gen Agent Trust Hub

feishu

Warn

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the subprocess module to execute system commands and manage a local Python virtual environment. Specifically, scripts/run.py and scripts/setup_environment.py invoke pip and python to install dependencies and run skill scripts. Furthermore, scripts/claude_launcher/launcher.py uses subprocess.run and subprocess.Popen (with shell=True on Windows) to search for and invoke the Claude CLI binary.
  • [REMOTE_CODE_EXECUTION]: The ClaudeLauncher class in scripts/claude_launcher/launcher.py dynamically generates temporary shell scripts (.sh for Linux) and PowerShell scripts (.ps1 for Windows) at runtime. These scripts are written to the system's temporary directory, granted execution permissions (on Unix), and then executed. This technique, while used here to facilitate a cross-platform launcher, is a form of dynamic code execution.
  • [DATA_EXFILTRATION]: The skill is designed to move data between the local host and Feishu's cloud servers. It can download message resources (images, files) and upload documents to Feishu. The MessageManageWrapper and CloudSpaceWrapper in the scripts/wrapper/ directory facilitate these network operations using the requests library and the lark-oapi SDK.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. The FileCollectorBot in scripts/folder_manage/file_collector_bot.py downloads user-uploaded files from Feishu to a local directory and then launches an external AI agent (claude) with a prompt that directs it to work in that directory. If the downloaded files contain malicious instructions, they could influence the behavior of the secondary agent tool.
  • Ingestion points: Feishu message receive events (_on_message_receive) download files to the output/ directory.
  • Boundary markers: None; the launch prompt simply provides a work directory path.
  • Capability inventory: The skill provides ClaudeLauncher, which has the ability to execute shell commands and modify files (via the Claude CLI).
  • Sanitization: There is no sanitization or content filtering performed on the files downloaded from Feishu before they are processed by the external agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 07:50 AM