lark-cli-router
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill installs the 'feishu-cli' tool by downloading a shell script from a personal GitHub repository ('riba2534') and piping it directly to 'bash' ('curl -fsSL https://raw.githubusercontent.com/riba2534/feishu-cli/main/install.sh | bash'). This pattern allows for the execution of unverified remote code on the host machine.
- [EXTERNAL_DOWNLOADS]: The skill fetches software from external registries, including the official '@larksuite/cli' from the npm registry and the community-maintained 'feishu-cli' from GitHub.
- [COMMAND_EXECUTION]: The agent is instructed to perform numerous shell operations, including environment checks, tool installation, and service authentication ('auth login', 'config init').
- [PROMPT_INJECTION]: The skill processes untrusted Markdown data for document conversion tasks (Category 8 surface). Evidence: 1. Ingestion points: Markdown files ingested during 'doc import' and 'doc export' workflows. 2. Boundary markers: Absent; no delimiters or instructions are provided to ignore embedded instructions in the source documents. 3. Capability inventory: Full shell execution (npm, go, bash), package installation, and platform API interactions. 4. Sanitization: Absent; the skill does not specify any validation or filtering of ingested file content before processing. Malicious instructions inside processed documents could potentially influence the agent's behavior via the skill's extensive capabilities.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/riba2534/feishu-cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata