dingtalk-workflow-morning-brief
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
dwscommand-line interface to perform various operations, including retrieving calendar events, task lists, OA approvals, and attendance records. It also uses CLI commands to search for chat groups and send messages. - [DATA_EXFILTRATION]: The skill is designed to read sensitive work-related data (calendar, tasks, pending approvals, attendance) and transmit summaries of this data to external destinations such as DingTalk group chats or via DING messages to specific users. While this is the intended functionality, it involves the movement of potentially confidential organizational information.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from multiple sources and uses an AI to generate a summary that is then sent to other users.
- Ingestion points: Data enters the agent context through
dws calendar event list,dws todo task list,dws oa approval list-pending, anddws aitable record query(SKILL.md). - Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the processed data sources.
- Capability inventory: The skill possesses the capability to write and send messages externally via
dws chat message send-by-botanddws ding message send(SKILL.md). - Sanitization: No evidence of sanitization, escaping, or validation of the retrieved external content is present in the instructions.
Audit Metadata