The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface because it is designed to ingest untrusted data from an external source (reading Feishu messages via im:message) and has the capability to execute side-effect-heavy actions (sending messages, creating documents, and managing wikis).
Ingestion points: Feishu messages retrieved through API.
Boundary markers: None. There is no evidence of delimiters or instructions to the agent to ignore embedded commands in the processed messages.
Capability inventory: im_v1_message_create (write), docx:document (write/modify), bitable:app (write/modify), wiki:wiki (write/modify).
Sanitization: None. The skill lacks validation or filtering for content retrieved from external messages.
Data Exposure (MEDIUM): The skill contains hardcoded Personally Identifiable Information (PII) and internal identifiers in the 已知用户 ID 记录 table, including a full name, a specific open_id (ou_18b8063b232cbdec73ea1541dfb74890), and an internal company email address.
Unsafe Application Solicitation (HIGH): The skill includes direct links and instructions to grant extensive permissions (contacts, messages, documents, knowledge base) to a specific, hardcoded Feishu App ID (cli_a8831f109ffc500e). This pattern is characteristic of social engineering where a user is tricked into granting an attacker-controlled application full access to their corporate workspace.

feishu-messaging