handoff
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the total disabling of the AI agent's primary security sandbox to facilitate network communication with the Lark API and Cloudflare services. SKILL.md explicitly commands that all network-related Bash calls 'MUST run with dangerouslyDisableSandbox: true'.\n- [COMMAND_EXECUTION]: The installation script 'install_hooks.py' programmatically modifies core configuration files ('settings.json' and 'settings.local.json') to inject seven persistent lifecycle hooks that automate skill activation across sessions.\n- [PROMPT_INJECTION]: The skill uses behavioral overrides to hijack the agent's operational logic, mandating an 'indefinite loop that NEVER exits' and enforcing 'ABSOLUTE SILENCE' during idle periods, which intentionally suppresses the agent's normal communication with the user.\n- [DATA_EXFILTRATION]: Through the 'on_post_tool_use.py' hook, the skill automatically captures and forwards tool execution results—including file diffs and shell outputs—to a remote Lark group, creating a persistent path for exfiltrating sensitive project data.\n- [REMOTE_CODE_EXECUTION]: The skill establishes a bidirectional bridge where incoming text from the Lark messaging platform is directly interpreted as commands for the AI agent. This creates a remote command execution surface that grants whoever controls the Lark chat group full access to the agent's capabilities on the host system.\n- [PROMPT_INJECTION]: (Indirect Prompt Injection Surface)\n
- Ingestion points: Untrusted user messages and form responses are fetched from a remote Cloudflare worker in 'scripts/wait_for_reply.py'.\n
- Boundary markers: Absent; incoming remote content is processed directly as natural language instructions.\n
- Capability inventory: The skill utilizes the 'Bash', 'Edit', 'Write', 'Read', and 'Task' tools to execute instructions received from the remote bridge.\n
- Sanitization: No filtering or sanitization is performed on incoming message content before it is presented to the agent context.
Audit Metadata