Skills
skills/titanwings/colleague-skill/dot-skill/Gen Agent Trust Hub

dot-skill

Fail

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script tools/feishu_mcp_client.py uses subprocess.run to execute npx -y feishu-mcp --stdio. This downloads and executes an external Node.js package from the npm registry at runtime, representing an unverified external code execution vector.
  • [CREDENTIALS_UNSAFE]: Several data collection tools (feishu_auto_collector.py, slack_auto_collector.py, dingtalk_auto_collector.py) prompt the user for highly sensitive credentials, including App ID, App Secret, Bot Tokens, and OAuth codes. These are stored locally in the ~/.colleague-skill/ directory, making them accessible to the agent or other processes.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the subprocess module to execute system commands.
  • tools/research/transcribe_audio.py executes yt-dlp to download media.
  • tools/feishu_mcp_client.py executes npx to run a Model Context Protocol server.
  • tests/test_cli_lifecycle.py spawns the Python interpreter and various skill tools.
  • [PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection (Category 8).
  • Ingestion points: Raw messages, emails, and documents are ingested via feishu_auto_collector.py, slack_auto_collector.py, dingtalk_auto_collector.py, and email_parser.py.
  • Boundary markers: The analysis prompts (e.g., prompts/persona_analyzer.md) instruct the agent to extract rules from this untrusted material without providing clear boundary markers or sanitization requirements.
  • Capability inventory: The skill is permitted to write files, execute arbitrary shell commands via the Bash tool, and perform network operations.
  • Sanitization: No evidence was found of sanitizing or escaping ingested chat history or document content before it is interpolated into analysis prompts.
  • [EXTERNAL_DOWNLOADS]: The skill downloads and executes third-party binaries and packages at runtime.
  • tools/research/transcribe_audio.py relies on yt-dlp to fetch media from user-supplied URLs.
  • tools/feishu_mcp_client.py downloads the feishu-mcp package via npx.
  • [DATA_EXFILTRATION]: The script tools/feishu_browser.py includes functionality to load the user's Chrome browser profile (user_data_dir). This grants the agent potential access to the user's session cookies, browsing history, and saved credentials for sensitive platforms.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 11, 2026, 01:02 PM