lark-apps
Pass
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute local development commands, including
npm install,npm run dev, and severalgitoperations (clone, commit, push, checkout) within the user's local workspace as part of the standard full-stack development workflow. - [EXTERNAL_DOWNLOADS]: The skill utilizes
+initand+git-credential-initto facilitate cloning application source code from the vendor's remote repositories to the user's local environment. - [DATA_EXFILTRATION]: The skill includes functionality to upload local application files, static HTML assets, and environment variables to the Miaoda platform. These are core features of the tool used for legitimate application hosting and management.
- [CREDENTIALS_UNSAFE]: While the skill manages Git credentials and OpenAPI keys, it contains strict instructions for the agent never to print, log, or persist these secrets. It also uses a secure pattern where raw keys are only shown once upon creation or reset.
- [SAFE]: The skill implements several safety 'guardrails,' such as an automatic interceptor that prevents the accidental publishing of local credential files (like
.envor.aws/credentials) during HTML site deployment unless explicitly overridden by the user.
Audit Metadata