The Agent Skills Directory

[PROMPT_INJECTION]: The skill acts as an intermediary for external data from Feishu Docs, Wikis, and Bitables. This creates an indirect prompt injection surface where malicious instructions embedded in a Feishu document could attempt to control the agent's subsequent actions.
Ingestion points: Content is fetched via index.js (readDoc), lib/docx.js, lib/bitable.js, and lib/sheet.js.
Boundary markers: Absent. The skill does not wrap fetched content in delimiters or provide 'ignore instructions' warnings before passing data to the agent.
Capability inventory: The agent can write to Feishu documents (writeDoc, appendDoc) and save files to the local system (download_file.js).
Sanitization: input_guard.js provides sanitization for Feishu API compatibility but does not filter content for malicious prompts.
[COMMAND_EXECUTION]: The script download_file.js accepts a local file path as a command-line argument and writes data to it. While intended for downloading Feishu attachments, this capability could be exploited via prompt injection to overwrite sensitive local files if the agent is directed to use an unsafe path.
[DATA_EXFILTRATION]: lib/auth.js contains logic to search for .env files up to four directory levels above the current working directory. This broad search for configuration files could lead to the unintended exposure of host environment secrets if multiple projects share a file system.
[EXTERNAL_DOWNLOADS]: The skill relies on several Node.js packages (commander, axios, dotenv) that are required by its scripts but are not declared in the package.json manifest, leading to an inconsistent dependency state.

feishu-doc