lark-calendar
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or security threats were detected in the skill instructions or reference files. The skill follows its stated purpose of managing Lark Calendar resources through a dedicated CLI tool.
- [COMMAND_EXECUTION]: The skill utilizes the lark-cli command-line interface to interact with the Lark API. These executions are scoped to the calendar resource and are necessary for the skill's functionality. Use of vendor-provided CLI tools is standard practice for this author.
- [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied text for fields like event summaries and descriptions. This presents an indirect prompt injection surface. However, the risk is low as the data is used as parameters for the calendar API and does not influence shell command logic beyond being string arguments. Mandatory Evidence Chain: 1. Ingestion points: summary and description flags in lark-cli calendar +create and +update (found in SKILL.md, references/lark-calendar-create.md, references/lark-calendar-update.md). 2. Boundary markers: Absent. 3. Capability inventory: lark-cli calendar create, patch, and update commands. 4. Sanitization: Absent.
Audit Metadata