zhimeng-agent
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted content from a local Obsidian vault and uses it to generate responses or trigger actions. Evidence: (1) Ingestion point: /Users/qitmac001395/Documents/Obsidian Vault. (2) Capability inventory: Access to mcp__feishu__im_v1_message_create and local file read via SOP 2. (3) Boundary markers: Absent. (4) Sanitization: Absent. An attacker could place malicious instructions in a markdown file that the agent retrieves during a RAG query, leading to unauthorized data exfiltration via Feishu.
- Data Exfiltration (MEDIUM): SOP 2 explicitly defines a workflow to read local journal files and send formatted content to a specific hardcoded Feishu user ID. This creates a functional pathway for sensitive personal data to leave the local environment via external API calls.
- Command Execution (LOW): The skill provides documentation for executing shell commands (uvicorn, poetry) to manage the local service. While intended for administration, these commands facilitate the setup of a persistent network-listening service on the host machine.
Recommendations
- AI detected serious security threats
Audit Metadata