identity-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The file
auto_scan.jsusesexecSyncto call an external script with arguments derived from previous command outputs. Specifically, the variablegroup.chat_idis interpolated directly into a shell command string:node "${GROUP_INTEL_SCRIPT}" members "${group.chat_id}". If the data returned by the group list command contains shell metacharacters in thechat_idfield, it could lead to arbitrary command execution. - [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface (Category 8). The skill ingests untrusted data from the Feishu API and other scripts to populate a persistent identity registry.
- Ingestion points:
sync.js(Feishu API) andauto_scan.js(external script output). - Boundary markers: None. Data is parsed and written directly to
user_registry.json. - Capability inventory:
execSyncinauto_scan.js, file-write operations touser_registry.jsoninindex.js,sync.js, andauto_scan.js. - Sanitization: Absent. There is no escaping or validation of user-controlled strings (names, IDs, aliases) before they are stored or used in command line arguments.
- [EXTERNAL_DOWNLOADS] (LOW): The skill depends on
fs-extra, a common and trusted Node.js package. No suspicious remote code downloads were detected.
Recommendations
- AI detected serious security threats
Audit Metadata