lark-base
Pass
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary purpose is to provide an interface for the AI agent to execute
lark-clicommands. It includes extensive documentation for parameters and JSON payloads, emphasizing serial execution and validation to prevent race conditions or data corruption. - [PROMPT_INJECTION]: No malicious prompt injection patterns were discovered. The instructions utilize 'Hard Rules' and 'Mandatory Read Acknowledgments' to enforce safety and correctness rather than bypassing agent safeguards.
- [DATA_EXPOSURE]: The skill uses placeholder tokens (e.g.,
bascnXXXXXXXX) and does not attempt to access sensitive local system files like SSH keys or cloud credentials. All network activity is directed toward legitimate vendor domains (feishu.cn). - [INDIRECT_PROMPT_INJECTION]: The skill possesses a potential attack surface for indirect prompt injection as it ingests untrusted data from multidimensional table cells (e.g., via
+record-listor+record-get) and has the capability to perform write operations or send messages based on that data. However, the risk is mitigated by the skill's strict data analysis SOPs and the requirement for explicit user confirmation for high-risk operations. - Ingestion points: Data enters the context through record reading and search commands defined in
references/lark-base-record.mdandreferences/lark-base-data-analysis-sop.md. - Boundary markers: The skill relies on structured JSON processing but lacks explicit natural language delimiters to ignore instructions embedded in cell values.
- Capability inventory: The agent can write records, modify workflows, and send Lark messages using
lark-clias documented inSKILL.md. - Sanitization: No specific sanitization logic for cell content is defined in the instructions.
Audit Metadata