lark-messages
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of reading external user communications from Lark/Feishu.
- Ingestion points: The agent ingests untrusted data from group chat history via the
mcp__lark__im_v1_message_listtool, as shown in Workflow 1 and Example 2. - Boundary markers: The instructions lack specific delimiters or boundary markers to distinguish between system instructions and data retrieved from messages. There are no explicit directions for the agent to ignore or sanitize instructions found within the message content.
- Capability inventory: The agent possesses high-impact capabilities, including sending messages (
mcp__lark__im_v1_message_create), creating groups (mcp__lark__im_v1_chat_create), and retrieving member lists, which could be misused if the agent obeys instructions injected into chat messages. - Sanitization: No sanitization or validation logic is defined to check for malicious payloads in the retrieved message strings before they are processed or displayed.
Audit Metadata