lark-workflow-personal-crm
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
lark-clibinary to perform sensitive operations including authentication (auth login), reading private emails (mail +messages), accessing calendar events (calendar +agenda), and searching the corporate directory (contact +search-user). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted data from external sources.
- Ingestion points: Untrusted data enters the agent context via
lark-cli mail +messages(email bodies/subjects) andcalendar +agenda(meeting descriptions/titles) as defined inSKILL.md. - Boundary markers: The instructions do not define clear delimiters or "ignore embedded instructions" warnings for the processed content.
- Capability inventory: The agent has the capability to write to data stores (
lark-cli base +record-upsert), create new table structures (lark-cli base +table-create), and send automated messages to users (lark-cli im +messages-send). - Sanitization: There is no explicit sanitization or validation of the ingested email/calendar content before it is processed by the AI for extraction and summarization.
Audit Metadata