lark-workflow-knowledge-base
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
lark-clibinary to manage authentication, document creation, messaging, and database operations within the Lark platform. - [EXTERNAL_DOWNLOADS]: As part of its core functionality, the skill fetches content from external URLs, including articles, YouTube video metadata/transcripts, Twitter threads, and PDF files.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from the internet which is then processed by the AI to perform actions.
- Ingestion points: External content is fetched from various web sources (Articles, YouTube, Twitter, PDFs) as described in the 'Step 2: 抓取内容' section of
SKILL.md. - Boundary markers: The instructions do not specify any delimiters or safety warnings to distinguish between system instructions and untrusted content being summarized.
- Capability inventory: The skill has the capability to send messages (
im +messages-send), create documents (docs +create), and modify database records (base +record-upsert), which could be abused if malicious instructions are embedded in the fetched content. - Sanitization: There is no mention of sanitization or validation of the external content before it is used to generate summaries or tags.
- [SAFE]: The skill's request for authentication via
lark-cli auth loginwith multiple scopes (wiki,docs,im,base,drive) is consistent with its stated purpose of cross-platform knowledge management within the Lark environment.
Audit Metadata