feishu-doc-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages and processes sensitive Feishu API credentials, including FEISHU_APP_ID, FEISHU_APP_SECRET, and User Access Tokens. These are stored and retrieved from local configuration files such as
.claude/feishu-config.envandfeishu-token.json, granting the skill high-privilege access to the user's Feishu workspace. - [COMMAND_EXECUTION]: The orchestrator component (
orchestrator.py) utilizes thesubprocessmodule to programmatically execute multiple Python scripts within the skill's directory structure to manage the workflow. - [COMMAND_EXECUTION]: The verification sub-skill (
doc_verifier.py) employs the Playwright library to launch and control a headless Chromium browser instance. This allows for automated navigation and interaction with Feishu URLs to verify document creation. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface when processing external Markdown data, characterized by the following: 1. Ingestion points: The
md_parser.pyscript reads local Markdown files. 2. Boundary markers: There are no explicit markers or instructions provided to the agent to distinguish between its own logic and instructions embedded within the processed Markdown. 3. Capability inventory: The skill has the capability to perform network requests (requests) and execute system processes (subprocess). 4. Sanitization: The skill performs defensive cleaning of zero-width characters and specific Markdown markers inmd_parser.py, which mitigates some obfuscation risks but does not filter for malicious instructional content.
Audit Metadata