dingtalk-tb-ai-skill
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The README.md file contains standard installation instructions for the 'uv' package manager via 'astral.sh'. This is a well-known and widely used tool in the Python development ecosystem and is treated as a safe external reference.\n- [PROMPT_INJECTION]: The skill manages tasks and projects by constructing TQL (Teambition Query Language) strings from user-provided input, which represents an indirect prompt injection surface.\n
- Ingestion points: Command-line arguments used as search filters in scripts like 'scripts/query-tasks.py' and 'scripts/query-projects.py'.\n
- Boundary markers: None are explicitly implemented in the script logic to separate user data from query instructions.\n
- Capability inventory: The skill performs authenticated network requests to 'open.teambition.com' and executes internal scripts via subprocesses.\n
- Sanitization: User input is interpolated into query strings without dedicated sanitization, relying on the Teambition API's permission model to restrict data access.
Audit Metadata