lark-workflow-announce
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating user-controlled variables like '<群名称>' (group name) and '<HTML 公告内容>' (announcement content) into
lark-clicalls. This represents a command injection surface if the agent does not properly escape inputs. 1. Ingestion points: User-provided group name and announcement body in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution through lark-cli for searching chats, reading API data, and patching announcements. 4. Sanitization: No sanitization or escaping instructions provided. - [PROMPT_INJECTION]: The skill uses authoritative directives such as 'CRITICAL' and 'MUST' to mandate that the agent reads an external file (
../lark-shared/SKILL.md) for authentication context before performing tasks.
Audit Metadata