lark-manager
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill reads sensitive application credentials from the local configuration file at
~/.openclaw/openclaw.jsonand uses them for API authentication. - [EXTERNAL_DOWNLOADS]: The script attempts to install the
python-docxlibrary from the PyPI registry at runtime if it is not found on the host system, which introduces risks associated with unverified dependencies. - [COMMAND_EXECUTION]: The skill uses
child_process.execSyncto execute dynamically generated Python scripts and shell commands to facilitate document conversion and permission management. - [PROMPT_INJECTION]: The skill processes untrusted markdown data from the workspace and converts it into document blocks without sanitization or boundary markers, creating a surface for indirect prompt injection that could influence the agent's behavior through manipulated document content. Evidence: 1. Ingestion points: markdown files read via the
--fileargument. 2. Boundary markers: None. 3. Capability inventory: subprocess execution viaexecSync, network operations to Feishu API, and document permission management. 4. Sanitization: No explicit sanitization or escaping of markdown content before parsing into API structures.
Recommendations
- AI detected serious security threats
Audit Metadata