agent-onboarding
Audited by Snyk on Jun 8, 2026
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.75). Several items are high-risk: the unknown GitHub repo (potentially low-reputation/typosquatting) and the direct installer scripts (https://claude.ai/install.sh and install.ps1) are common vectors for malware delivery — the feishu/open-feishu URLs are API/webhook endpoints (not downloads) but can be abused for data exfiltration, so treat these sources as suspicious until you verify domain legitimacy, inspect the scripts/repo contents, and confirm signatures or community trust.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.78). 该 skill 的运行流程会在“项目 09 · 每周行业简报”中进行联网抓取(WebFetch/浏览器渲染)并把网页正文/片段作为可读文本进入 LLM 上下文,属于“公共 web 内容(运行时抓取的页面/文章)”的间接提示注入暴露路径。
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill instructs fetching and executing remote installer scripts and repository code at runtime — e.g., the install commands curl -fsSL https://claude.ai/install.sh | bash and irm https://claude.ai/install.ps1 | iex, and the required skill repo https://github.com/kaijie0074-art/agent-onboarding-skill which the agent/installer downloads and loads — so these URLs cause remote code to be fetched and executed as required dependencies.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). 我检查了整个 skill 文档内容,按“只标出直接存在且可用的高熵凭据”的规则来判断。
发现的实际凭据:
- 在 references/反馈bug.md 中有一个完整的飞书自定义机器人 webhook URL: https://open.feishu.cn/open-apis/bot/v2/hook/45a4610c-19cb-4319-8f0e-0eb3083d5353 这是一个可直接用于向该机器人发送消息的可用端点(包含 UUID 风格的高熵路径),属于可滥用的实用凭据,应视为敏感信息。
我忽略/不标记的内容(理由):
- 所有示例邮箱、手机号、公司名、示例数据(如 linxiao@xiaoguang.tech、138-0000-0000 等)都是低熵或示例/样例,不构成可滥用的秘密。
- 常见命令、环境变量名(LARK_CLI_NO_PROXY 等)、安装脚本、下载链接、以及文档占位符均为非敏感或可公开的信息,不予标记。
- 文档中未发现任何私钥(PEM/RSA)、长 API secret(sk-... 实例)或其他高熵密钥字符串(除上面 webhook 之外)。
结论:文档中存在一个直接可用的 webhook URL,视为泄露的凭据,应当处理(移除/旋转/替换为占位符)。
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs the agent to auto-install tools (brew/pip/npm), change system settings (fonts, proxy env), run commands and perform environment modifications on the host—actions that alter machine state and can require elevated privileges—so it pushes the agent to modify the host system.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (6)
Suspicious download URL detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Attempt to modify system services in skill instructions.
Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).