send-feishu
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute
curlcommands andpython3heredoc scripts. It interpolates user-provided variables such as message text, titles, and file paths directly into these execution contexts. This pattern is vulnerable to command injection if the agent does not strictly escape shell metacharacters before executing the commands. - [DATA_EXFILTRATION]: The skill transmits local file content and user messages to external endpoints, including the Feishu API (
open.feishu.cn) and user-provided webhooks. While consistent with its stated purpose, this provides a pathway for data to be sent outside the local environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data (user-provided text and files) and includes it in tool execution logic without robust boundary markers or programmatic sanitization. 1. Ingestion points: User message content, file names, and titles (SKILL.md). 2. Boundary markers: Absent in Bash examples, providing no separation between instructions and data. 3. Capability inventory: Bash execution (
curl), Python execution, and local file reading (SKILL.md). 4. Sanitization: None; the skill relies on instructional text rather than automated filtering or validation.
Audit Metadata