better-lark
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the
lark-clibinary for all Lark platform interactions. It also runs a local bash scriptscripts/helper.shfor environment detection and profile management (using the macOS keychain for secure secret storage). Additionally, it generates and executes Node.js scripts to calculate complex layouts for whiteboard diagrams as seen in various scene templates. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npxto run the official@larksuite/whiteboard-clipackage for rendering diagrams and fetches API specification data from trusted developer domains such asopen.feishu.cn. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it reads data from messages, emails, and documents. However, it provides structured guidelines for the agent to verify user intent before performing actions and uses official CLI tools which act as a layer of separation from the ingested data.
Audit Metadata