lark-workflow-onboard
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface detected. The skill ingests untrusted data and uses it to perform powerful organizational actions.\n
- Ingestion points: Processes new employee names, department names, and IDs provided through user prompts or retrieved from contact search results.\n
- Capability inventory: Includes capabilities to send messages (
im +messages-send), manage group chat memberships (im chat.members create), and create tasks or calendar events across the Lark ecosystem.\n - Boundary markers: Absent. The skill does not use delimiters (such as XML tags or triple quotes) or provide 'ignore embedded instructions' warnings to isolate external data from its own logic.\n
- Sanitization: Absent. User-provided data is directly interpolated into command-line arguments and markdown message bodies (e.g., '{姓名}') without validation or escaping.\n- [PROMPT_INJECTION]: Use of high-priority directives to enforce specific execution sequences. The instruction 'CRITICAL — 开始前 MUST 先用 Read 工具读取
../lark-shared/SKILL.md' uses urgent markers ('CRITICAL', 'MUST') to mandate reading an external local file. While functional for setup, this pattern can be used to control agent flow or inject context from outside the immediate skill file.
Audit Metadata