lark-vc
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute various
lark-clicommands for meeting operations. This includeslark-cli vc +searchfor historical data andlark-cli vc +notesfor content retrieval. These commands are part of the intended vendor functionality. - [EXTERNAL_DOWNLOADS]: The skill performs downloads of meeting artifacts (e.g., transcripts and whiteboard cover images) from the Lark platform to the local file system. Files are stored in organized subdirectories under
./minutes/. All downloads target the vendor's own infrastructure. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It provides instructions to fetch external markdown content from meeting notes (
lark-cli docs +fetch) and parse it for specific tokens (e.g.,<whiteboard token="xxx"/>). These tokens are then interpolated directly into CLI commands (lark-cli docs +media-download --token <whiteboard_token>). This pattern could be exploited if malicious content is placed in the meeting notes to perform argument injection. - Ingestion points: Meeting notes, transcripts, and AI summaries retrieved via the Lark API (files:
SKILL.md,references/lark-vc-notes.md). - Boundary markers: No explicit markers or delimiters are defined to isolate untrusted content during parsing.
- Capability inventory: The agent has the ability to write to the local file system and execute CLI commands with network access.
- Sanitization: The instructions do not specify any validation or escaping for the tokens extracted from external content before they are used in shell commands.
Audit Metadata