Skills
skills/shunsukehayashi/lark-harness/lark-project/Gen Agent Trust Hub

lark-project

Warn

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute local shell commands during the 'Weekly Review' process (git -C ~/dev/{category}/{name} log -1 ...). The {category} and {name} variables are derived from project titles and metadata fetched from the Lark API. This creates a risk of command injection or path traversal if a project name contains shell metacharacters or directory traversal sequences (e.g., ../../).
  • [DATA_EXFILTRATION]: The skill interacts extensively with the local file system, specifically targeting the user's ~/dev/ directory and operational playbooks in ~/dev/ops/. While intended for developer productivity, this broad access increases the risk of exposing source code or internal documentation if the agent is manipulated via malicious project data.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
  • Ingestion points: Project fields such as name, description, and category are ingested from the external Lark Project platform via the search_by_mql tool (SKILL.md).
  • Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing this external data.
  • Capability inventory: The agent has the ability to execute shell commands (git), modify project fields (update_field), and create new work items (create_workitem).
  • Sanitization: There is no evidence of validation or sanitization for the project-derived strings before they are interpolated into shell commands or prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 1, 2026, 10:36 AM