dot-skill

Warn

Audited by Gen Agent Trust Hub on Jun 2, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill is configured to download and run external code at runtime. Specifically, tools/feishu_mcp_client.py uses subprocess.run to call npx -y feishu-mcp, which installs and executes a package from the npm registry without version pinning.
  • [COMMAND_EXECUTION]: Several tools in the repository execute shell commands through the subprocess module. tools/research/transcribe_audio.py and tools/research/download_subtitles.sh invoke the yt-dlp binary to download and process remote URLs. tools/feishu_mcp_client.py also executes npx to communicate with Feishu services.
  • [DATA_EXFILTRATION]: The skill is designed to retrieve sensitive organizational data. It prompts for and stores API tokens for Feishu, Slack, and DingTalk in the user's home directory (~/.colleague-skill/). It uses these tokens to pull extensive private data, including chat histories and internal documents, into the AI context.
  • [PROMPT_INJECTION]: The skill has a high attack surface for indirect prompt injection into the agents it creates. \n * Ingestion points: Content is collected from Feishu, Slack, and DingTalk via tools/feishu_auto_collector.py, tools/slack_auto_collector.py, and tools/dingtalk_auto_collector.py. \n * Boundary markers: The prompts in the prompts/ directory structure the extraction, but the final SKILL.md templates in tools/skill_writer.py interpolate raw extracted content without using explicit delimiters or warnings to ignore embedded instructions. \n * Capability inventory: The generated AI skills are designed to use high-privilege tools such as Bash, Read, and Write. \n * Sanitization: No deterministic sanitization is performed on the raw data to remove potential prompt injection payloads before they are adopted by the new agent's system instructions.
  • [EXTERNAL_DOWNLOADS]: The skill downloads media from arbitrary URLs provided by the user using yt-dlp and fetches Node.js packages from the public npm registry.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 2, 2026, 07:15 AM
Security Audit — agent-trust-hub — dot-skill