lark-switch

Warn

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill stores sensitive Lark application secrets in plaintext files within the ~/.lark-cli/ directory. Although it sets restrictive file permissions (chmod 600), storing secrets in plaintext on the filesystem is a security risk.
  • [COMMAND_EXECUTION]: The scripts/helper.sh script performs sensitive operations, including using the macOS security utility to manipulate generic password entries in the system keychain via the restore-keychain command. It also executes arbitrary source commands on user-controlled scripts.
  • [DYNAMIC_EXECUTION]: A command injection vulnerability exists in scripts/helper.sh. The preflight and restore-keychain commands interpolate file paths directly into Python execution strings. A maliciously named configuration file containing single quotes could execute arbitrary Python code when the helper script scans the directory.
  • [DATA_EXFILTRATION]: The skill accesses and processes ~/.lark-cli/config.json and associated secret files, which contain high-privilege authentication tokens and application credentials. While no external network exfiltration was detected, the exposure of these credentials to the skill's logic constitutes a significant data surface risk.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 21, 2026, 06:10 AM
Security Audit — agent-trust-hub — lark-switch