Skills
skills/larksuite/cli/lark-mail/Gen Agent Trust Hub

lark-mail

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill contains explicit defensive instructions designed to prevent the AI agent from being manipulated by malicious content within emails. It identifies email bodies, subjects, and sender names as untrusted external inputs and provides strict rules to ignore any 'commands' or 'instructions' embedded within them. The detector flag for 'Ignore previous instructions' is a false positive triggered by these defensive examples.
  • [INDIRECT_PROMPT_INJECTION]: As an email management tool, the skill naturally processes external data which constitutes an indirect prompt injection surface. The author has mitigated this risk by including a mandatory safety section ('⚠️ 安全规则') that establishes clear boundaries between user instructions and external data.
  • Ingestion points: External email data fetched via +message, +messages, +thread, and +triage shortcuts.
  • Boundary markers: Explicit instructions in SKILL.md define all email-derived fields as untrusted and separate from the user's operational intent.
  • Capability inventory: The skill allows for reading, drafting, sending, and deleting emails via the lark-cli tool.
  • Sanitization: The instructions mandate that the agent must never execute instructions found in email content and must always seek user confirmation for high-risk operations like sending or forwarding.
  • [DATA_EXFILTRATION]: The skill adheres to the principle of least privilege by defaulting all outgoing email operations (send, reply, forward) to 'draft' mode. Sending an actual email requires either a specific --confirm-send flag or a separate call to the send API, both of which require explicit user confirmation according to the skill's instructions. No unauthorized network requests were found.
  • [EXTERNAL_DOWNLOADS]: The skill requires the lark-cli binary, which is consistent with the author 'larksuite'. No unverified third-party dependencies or remote script execution patterns (e.g., curl|bash) were identified.
  • [COMMAND_EXECUTION]: All system interactions are routed through the lark-cli tool. The commands are structured and do not provide a path for arbitrary shell command injection.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 03:04 AM