Skills
skills/nicepkg/boss-skill/create-boss/Gen Agent Trust Hub

create-boss

Warn

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The tools/feishu_mcp_client.py script executes npx -y feishu-mcp --stdio, which downloads and runs code from the NPM registry at runtime without user confirmation. This pattern can be exploited if the remote package is compromised or substituted.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to run local Python scripts (tools/) which in turn spawn subprocesses to perform data collection, image analysis, and code generation tasks.
  • [DATA_EXFILTRATION]: The skill is explicitly designed to ingest highly sensitive corporate data, including chat histories from Feishu, Slack, and DingTalk, as well as emails and private documents. While the logic appears to process this data locally to generate a new skill, the ingestion of such broad workplace context into an AI environment represents a significant data exposure risk.
  • [DYNAMIC_EXECUTION]: The tools/create_boss.py script dynamically generates a completely new AI Agent Skill directory. It writes a new SKILL.md, personality profiles, and copies prompt templates to a user-defined directory. This generated skill is immediately executable by the agent, representing a multi-stage execution flow where the agent creates its own subsequent instructions.
  • [REMOTE_CODE_EXECUTION]: The tools/feishu_browser.py script uses Playwright to access the user's local Chrome Profile (--chrome-profile). This allows the skill to bypass multi-factor authentication and access any web-based corporate resource the user is logged into, including private chats and documents.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
  • Ingestion points: Untrusted data enters the context via Feishu/Lark, DingTalk, Slack, and email collectors (tools/feishu_auto_collector.py, etc.).
  • Boundary markers: The skill lacks robust delimiters or 'ignore embedded instructions' warnings when processing this external data.
  • Capability inventory: The skill has the capability to write files (create_boss.py), execute shell commands (feishu_mcp_client.py), and read local browser profiles (feishu_browser.py).
  • Sanitization: There is no evidence of sanitization or filtering of the ingested communication data before it is used to generate the management style and persona of the new AI 'boss'.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 8, 2026, 05:47 AM