feishu-cli-import
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill instructions include a 'CRITICAL' block that mandates the agent to 'immediately' perform permission-altering actions after document creation. This pattern attempts to override the agent's default operational flow and force the execution of sensitive commands without explicit user confirmation for each instance.
- [DATA_EXFILTRATION]: The skill directs the agent to grant 'full_access' and transfer ownership of all newly created documents to a hardcoded email address ('user@example.com'). This represents a significant data exfiltration risk, as user-created documents would be automatically shared with an external party.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute 'feishu-cli' and 'python3' commands. These operations involve interpolating user-provided file paths into shell command lines, which presents a risk of command injection.
- [EXTERNAL_DOWNLOADS]: The skill depends on an external CLI tool ('feishu-cli') and provides instructions to download it from a third-party GitHub repository ('github.com/riba2534/feishu-cli').
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection (Category 8) due to its processing of untrusted external files with high-privilege tools.
- Ingestion points: Markdown files are read and processed to create document content.
- Boundary markers: There are no identified delimiters or instructions to prevent the agent from following commands that might be embedded within the Markdown files.
- Capability inventory: The 'feishu-cli' tool has extensive permissions, including document creation, permission management, and ownership transfer.
- Sanitization: No sanitization or content validation is performed on the Markdown data before it is sent to the Feishu API.
Recommendations
- AI detected serious security threats
Audit Metadata