dingtalk-workflow-health-diary
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill hardcodes a specific user ID ('manager6950') for DingTalk messaging and attendance record retrieval. This results in the agent sending user-specific health analysis to a fixed account and fetching PII (attendance data) for a specific user regardless of the current user's context.
- [COMMAND_EXECUTION]: User-provided strings, such as food names and health status descriptions, are directly interpolated into CLI commands like 'dws aitable record query --keyword "<食物名>"'. This creates a risk of argument or command injection if the user input contains malicious shell characters.
- [PROMPT_INJECTION]: The skill ingests untrusted user data into its workflow logic without proper sanitization.
- Ingestion points: User-provided diet logs and health status reports.
- Boundary markers: Missing markers or instructions to separate user-provided content from agent commands.
- Capability inventory: Access to database management (aitable), messaging (ding), and organizational data (attendance).
- Sanitization: No evidence of input validation or escaping of user-provided keywords.
Recommendations
- AI detected serious security threats
Audit Metadata