lark
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The
retry_with_backofffunction inscripts/lark-auth.shuseseval "$cmd"to execute shell commands. This pattern can be dangerous if the command string is influenced by untrusted input. - [PROMPT_INJECTION]: The skill processes external content from Lark documents via the
/lark readcommand, creating a surface for indirect prompt injection. Maliciously crafted documents could attempt to influence the agent's behavior. - Ingestion points: Document content is fetched from the Lark API via the
get_all_document_blocksfunction inscripts/lark-auth.sh. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are added to the parsed document content.
- Capability inventory: The skill possesses capabilities to edit documents (
update_block), send messages (mcp__tn-lark__im_v1_message_create), and search for users. - Sanitization: Content retrieved from the API is converted to markdown but is not sanitized to remove or neutralize potential prompt injection attacks.
- [EXTERNAL_DOWNLOADS]: The skill communicates with Lark's official API endpoints (
open.larksuite.com) to manage authentication and document data. - [DATA_EXFILTRATION]: Authentication tokens are cached in the
/tmp/claude/lark/lark-token.cachefile. Storing sensitive access tokens in a shared temporary directory can lead to unintended exposure.
Audit Metadata