lark-workflow-approval-reminder
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill employs imperative, high-priority language ("CRITICAL — 开始前 MUST...") to dictate the agent's operational sequence and force specific tool usage before proceeding. While intended for state management, this mirrors instruction override patterns.
- [COMMAND_EXECUTION]: The workflow involves constructing and executing shell commands (
lark-cli) using variables derived from user input or API responses, such as<instance_id>,<approval_code>, and<approver_open_id>. The lack of explicit sanitization or escaping instructions for these placeholders creates a potential surface for command injection if inputs contain shell metacharacters. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the Lark Approval API (Step 1 and 2) and instructs the AI to interpret this data to identify approvers and next steps.
- Ingestion points: API responses from
/open-apis/approval/v4/instancescontaining user-controlled fields like approval titles and node information. - Boundary markers: The instructions do not define clear delimiters or "ignore embedded instructions" warnings for the AI when processing the API output.
- Capability inventory: The skill has the capability to send messages to users and groups (
lark-cli im +messages-send). - Sanitization: There are no instructions for validating or sanitizing the content extracted from the API before using it in subsequent message-sending operations.
Audit Metadata