lark
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/helper.shcontains a code injection vulnerability. In therestore-keychaincommand, the user-supplied profile name is interpolated directly into a Python script string passed topython3 -c. If a malicious profile name containing single quotes and Python commands is provided, it allows for arbitrary code execution within the Python process. - [PROMPT_INJECTION]: The skill exhibits a significant surface area for indirect prompt injection (Category 8) due to its core functionality of processing external communication and documentation data.
- Ingestion points: The skill reads IM messages, retrieves cloud document content, and fetches meeting notes (e.g.,
references/lark-im-chat-messages-list.md,references/lark-doc-fetch.md,references/lark-vc-notes.md). - Boundary markers: There are no instructions to use robust delimiters or to treat ingested content as untrusted data.
- Capability inventory: The skill has extensive 'write' capabilities, including sending messages, updating documents, modifying database records, and managing access permissions (documented across
references/im.md,references/doc.md, andreferences/role-config.md). - Sanitization: No explicit sanitization or filtering of external content is mentioned before it is processed by the agent.
- [DATA_EXFILTRATION]: The script
scripts/helper.shaccesses sensitive configuration files and hidden secret files in the user's home directory (~/.lark-cli/config-*.jsonand~/.lark-cli/.$profile.secret) to manage application credentials. - [EXTERNAL_DOWNLOADS]: The skill instructions (e.g., in
references/whiteboard-scenes/bar-chart.md) direct the agent to download and execute the@larksuite/whiteboard-clipackage vianpx. This is recognized as a reference to a well-known service and organization.
Audit Metadata