lark-workflow-social-tracker
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8).
- Ingestion points: The workflow uses 'WebSearch' to retrieve data from public social media accounts (e.g., YouTube, Instagram, Twitter) based on user-provided handles or IDs. This external content is untrusted and could contain malicious instructions.
- Boundary markers: The skill does not specify the use of delimiters or instructions to ignore embedded commands when the agent processes the retrieved search results.
- Capability inventory: The skill possesses significant capabilities, including writing to Lark databases (
lark-cli base +record-upsert), creating spreadsheets (lark-cli sheets +create), and sending instant messages (lark-cli im +messages-send). - Sanitization: There is no evidence of data validation or sanitization routines to filter or escape content retrieved from the web before it is passed to the AI for analysis or recorded in the system.
- [COMMAND_EXECUTION]: The skill instructions include several shell commands utilizing the
lark-clitool. These commands are used to initialize database tables, update records, and send notifications. The use of this binary is consistent with the skill's stated purpose of integrating with the Lark workspace. - [EXTERNAL_DOWNLOADS]: The skill references a local shared file (
../lark-shared/SKILL.md) to handle authentication and permission scoping for the Lark platform. This is a standard practice for modular skill design and leverages the existing security configuration of the well-known Lark service.
Audit Metadata