feishu-cli-read
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates user-supplied arguments like
<document_id>,<node_token>, and<url>directly into shell commands (e.g.,feishu-cli doc export <document_id>). If these inputs contain shell metacharacters such as semicolons or pipes, it could result in arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is designed to ingest and analyze external document content, which introduces a surface for indirect prompt injection. Malicious instructions placed inside a Feishu document could influence the agent's behavior once the content is read into the context.
- Ingestion points: Document content is exported to
/tmp/feishu_doc.mdand/tmp/feishu_wiki.mdbefore being processed by the agent (SKILL.md). - Boundary markers: None. The skill does not define delimiters or provide instructions to the agent to treat document content as data rather than instructions.
- Capability inventory: The skill allows use of
Bash,Read, andGreptools, which could be leveraged by an attacker following a successful injection. - Sanitization: There is no evidence of input validation or content filtering to mitigate malicious payloads in the document text.
Audit Metadata