dws-cli
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md file suggests an installation method using curl -fsSL .../install.sh | sh. Piped shell execution from remote sources is a high-risk pattern that can lead to arbitrary code execution if the source is compromised or untrusted.
- [EXTERNAL_DOWNLOADS]: The skill references numerous Python scripts in a scripts/ directory (e.g., scripts/upload_attachment.py, scripts/attendance_my_record.py) which are not included in the provided files. These external dependencies are unverifiable and could perform malicious actions.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from DingTalk sources (chat messages, table records, reports) and possesses significant capabilities such as deleting records, removing group members, and sending messages. * Ingestion points: Data enters the context via dws aitable record query, dws chat search, dws report list, etc. * Boundary markers: None identified; instructions do not specify delimiters for external data. * Capability inventory: The skill can delete AI Tables, remove group members, and broadcast messages via dws aitable base delete, dws chat group members remove, and dws chat message send-by-bot. * Sanitization: No sanitization or validation of the ingested content is described in the reference documentation.
- [COMMAND_EXECUTION]: The skill's primary mode of operation is generating and executing shell commands for the dws CLI, which allows for complex interactions with DingTalk services. While this is the intended functionality, it grants the agent broad access to perform sensitive operations.
Recommendations
- AI detected serious security threats
Audit Metadata