feishu-automation
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection. It ingests untrusted data from Feishu (messages, documents, and table records) and has powerful capabilities (Bash, Read, Write, Edit). An attacker could send a malicious message or create a document with instructions that the agent might execute.
- Ingestion points: Feishu messages, cloud documents, and Bitable records accessed via
mcp__feishu__*tools. - Boundary markers: None specified in the documentation or manifest to delimit external data from system instructions.
- Capability inventory: Access to
Bash(command execution),Write(file system modification), andEdit(file modification) are explicitly allowed in theallowed-toolssection. - Sanitization: No sanitization or validation logic is described or implemented in the manifest.
- [NO_CODE] (SAFE): The skill package contains no executable script files (.js, .py, .sh). It consists entirely of a Markdown manifest (
SKILL.md) and descriptive text files. This reduces the immediate risk of hardcoded malicious logic but does not eliminate the architectural risks defined in the manifest.
Audit Metadata