lark-workflow-meeting-todo
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill processes untrusted external data from meeting notes (
vc +notes), document contents (docs +fetch), and AI-generated transcripts (minutes minutes get). Malicious instructions embedded in these sources could potentially influence the agent's logic when creating tasks or sending confirmation messages. - Ingestion points: Reads content from documents, meeting notes, and transcripts via
lark-cli(SKILL.md). - Boundary markers: The skill does not define any delimiters or clear instructions to the AI to ignore embedded commands within the extracted meeting content.
- Capability inventory: The skill has the ability to send messages (
im +messages-send), create tasks (task +create), and modify database records (base +record-upsert). - Sanitization: No sanitization or validation logic is specified for the data extracted from meeting notes before it is presented to the user or used to create tasks.
- [DATA_EXFILTRATION]: Accesses highly sensitive user data. The skill is designed to search and read through a user's meeting records, document content, and personal or work emails (
mail +messages-search). While the workflow describes keeping this data within the Lark platform, the extensive access to private communications represents a significant data exposure risk if the agent is compromised or misled. - [COMMAND_EXECUTION]: The skill relies on the execution of shell commands via the
lark-clibinary and standard system utilities likedatefor time calculations. While these are used for the skill's primary functionality, they provide a vector for command injection if input parameters are not correctly handled by the underlying agent platform.
Audit Metadata