dingtalk-workflow-business-advisor
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill aggregates and processes sensitive corporate and personal information, including attendance records, pending OA approvals, financial investment portfolios, and CRM contact details. Summaries of this data are broadcast to DingTalk group chats and sent via DING messages, which could lead to unauthorized data exposure if the output channels are not strictly controlled.
- [COMMAND_EXECUTION]: The skill extensively utilizes the
dwsCLI tool to perform complex operations such as database creation, record querying, and message dispatching. The use of the--yesflag throughout the scripts ensures commands execute without user confirmation. - [PROMPT_INJECTION]: The skill exhibits a large attack surface for indirect prompt injection due to its multi-source data ingestion and complex processing pipeline.
- Ingestion points: Data enters the agent context from
dws todo(tasks),dws calendar(events),dws oa(approvals),dws attendance(employee records), multipledws aitablebases (CRM, Finance, Content), andWebSearchresults. - Boundary markers: There are no specific delimiters or instructions provided to the agent to distinguish between its primary instructions and potentially malicious instructions embedded within the retrieved data.
- Capability inventory: The agent has the ability to write records to databases (
dws aitable record create), send messages to public groups (dws chat message send-by-bot), and send targeted private alerts (dws ding message send). - Sanitization: The skill does not implement sanitization, validation, or escaping of the external content before it is processed by the AI advisor roles, potentially allowing malicious data to influence agent behavior.
Audit Metadata