Skills
skills/titanwings/colleague-skill/create-colleague/Gen Agent Trust Hub

create-colleague

Warn

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script tools/feishu_mcp_client.py uses npx -y feishu-mcp --stdio to dynamically download and execute the feishu-mcp package from the NPM registry at runtime. Running unpinned packages from public registries introduces a supply chain risk.
  • [COMMAND_EXECUTION]: The main SKILL.md uses the Bash tool to execute a suite of local Python scripts for data parsing, collection, and version management. Additionally, tools/feishu_mcp_client.py uses subprocess.run to call external Node.js utilities.
  • [EXTERNAL_DOWNLOADS]: The skill is designed to fetch large volumes of data from external enterprise APIs (Feishu/DingTalk) and via browser automation using Playwright. While this is the intended functionality, it involves handling sensitive corporate communications and documents.
  • [CREDENTIALS_UNSAFE]: The skill instructs users to provide enterprise App ID and App Secret for Feishu and DingTalk. These secrets are stored locally in the user's home directory (~/.colleague-skill/feishu_config.json and ~/.colleague-skill/dingtalk_config.json). While this is standard for local tools, the handling of high-privilege enterprise tokens requires careful user oversight.
  • [PROMPT_INJECTION]: The skill processes untrusted third-party data (chat logs, emails, documents) through its analysis prompts (prompts/work_analyzer.md, prompts/persona_analyzer.md). This represents an indirect prompt injection surface where malicious instructions hidden in a colleague's messages could attempt to influence the agent's behavior during the 'distillation' process.
  • Ingestion points: Reads files via Read tool, parses EML/MBOX via email_parser.py, and collects API/Browser data via feishu_auto_collector.py and dingtalk_auto_collector.py.
  • Boundary markers: Missing; the skill directly interpolates raw message content into prompts for analysis.
  • Capability inventory: Uses Write and Edit to create new skill files and Bash to execute local scripts and NPM packages.
  • Sanitization: No explicit sanitization or filtering of the ingested chat/email content is performed before analysis.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 30, 2026, 03:40 PM