yuque-lakebook-export-cn
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/yuque_lakebook_export/lake_setup.pyutilizesyaml.load()with the unsafeyaml.Loaderto parse the table of contents (tocYml) extracted from.lakebookfiles. This configuration is vulnerable to arbitrary code execution if a user processes a maliciously crafted file. - [COMMAND_EXECUTION]: In
scripts/yuque_lakebook_export/lake_setup.py, theconvert_to_mdfunction usesos.system()to automatically open the output directory upon completion. The path is concatenated into shell commands (e.g.,explorer,open) without adequate sanitization of shell metacharacters. If a.lakebookfilename or output path contains characters like∨, it can lead to arbitrary shell command execution. - [EXTERNAL_DOWNLOADS]: The skill performs automated network requests using the
requestslibrary inscripts/yuque_lakebook_export/lake_handle.pyto download images and attachments from remote URLs found within the source documents.
Recommendations
- AI detected serious security threats
Audit Metadata