feishu-assistant

Warn

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/setup.py script executes shell commands to automate the installation of system dependencies. On Linux platforms, it uses sudo with package managers such as apt, dnf, or yum to install Node.js and npm. This requires administrative privileges and occurs during the skill's initial configuration phase.
  • [EXTERNAL_DOWNLOADS]: The skill's setup process automatically downloads and installs third-party software from public registries. It uses pip to install the requests library and npm to globally install the official Feishu CLI (@larksuite/cli). While these are well-known tools, the automated installation of external code is a security consideration for the execution environment.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from external sources.
  • Ingestion points: External data enters the agent context through functions that fetch Feishu group messages (get-chat-messages), read wiki articles (read-wiki-node), and retrieve emails (read-mail).
  • Boundary markers: The skill does not implement delimiters or specific instructions to the AI to ignore instructions embedded within the data retrieved from Feishu.
  • Capability inventory: The skill has significant capabilities that could be abused if the AI is successfully injected, such as dissolving group chats (dissolve-chat), deleting calendar events (delete-event), and clearing entire document contents (replace_doc.py).
  • Sanitization: Content fetched from external APIs is passed directly to the AI as strings without specific sanitization or validation of the content's safety.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 12, 2026, 05:56 AM
Security Audit — agent-trust-hub — feishu-assistant