lark-workflow-chat-digest
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface detected. The skill processes external, untrusted data which could contain instructions that influence the agent's behavior.
- Ingestion points: Chat messages are retrieved using the
lark-cli im +chat-messages-listcommand as described inSKILL.md. - Boundary markers: The instructions do not define clear delimiters or provide the AI with instructions to ignore embedded commands within the chat content.
- Capability inventory: The skill possesses write capabilities including
lark-cli im +messages-sendandlark-cli docs +createinSKILL.md. - Sanitization: There is no mention of sanitization, filtering, or validation of the chat messages before they are processed by the AI.
- [COMMAND_EXECUTION]: The skill instructions define shell command templates (e.g.,
lark-cli im +chat-search --query "<群名称>") where parameters like<群名称>,<chat_id>, and<日报内容>are derived from user input or external chat content. If these inputs contain shell metacharacters and are not properly sanitized by the execution environment, they could lead to arbitrary command execution.
Audit Metadata