dws
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface because it retrieves and processes content from external DingTalk sources (such as chat messages, document summaries, and table records) and has the capability to perform impactful write and delete operations.
- Ingestion points: Untrusted data is ingested through commands like
chat message list,aitable record query, andminutes get summary. - Boundary markers: The instructions lack explicit boundary markers or directions for the agent to ignore instructions embedded within the processed data.
- Capability inventory: The skill can execute various actions (record modifications, message dispatch, task deletion) via
subprocess.runcalls to thedwsCLI across multiple files. - Sanitization: Although some scripts provide data type validation and path resolution, there is no evidence of robust sanitization or escaping of textual content before processing.
- [COMMAND_EXECUTION]: Extensive use of
subprocess.runin automation scripts (e.g.,aiapp_create_and_poll.py,bot_broadcast.py,calendar_schedule_meeting.py) involves passing arguments derived from user-supplied strings (prompts, titles, text) to the localdwsbinary. This creates a potential for command argument injection if the input strings are not strictly validated. - [EXTERNAL_DOWNLOADS]: The
upload_attachment.pyscript interacts with external URLs by performing an HTTP PUT request to anuploadUrlprovided by the service. This constitutes a network egress point to a dynamic destination.
Audit Metadata