lark-workflow-crm
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing the lark-cli binary to interact with the Feishu platform. It dynamically constructs shell commands using a combination of direct user input and data retrieved from the database.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection due to its data-handling procedures. 1. Ingestion points: The agent retrieves untrusted data from external Feishu records via record-list and data-query operations (as seen in Phase 4 of SKILL.md). 2. Boundary markers: The skill does not implement explicit boundary markers or delimiters to isolate retrieved data from its own instructional logic. 3. Capability inventory: The agent has the authority to modify or delete CRM database records (record-upsert, record-delete) and send messages to external users (messages-send). 4. Sanitization: There is no defined process for sanitizing or validating the content of the CRM records before the agent processes them.
Audit Metadata