dot-skill
Warn
Audited by Gen Agent Trust Hub on Jun 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is configured to download and run external code at runtime. Specifically,
tools/feishu_mcp_client.pyusessubprocess.runto callnpx -y feishu-mcp, which installs and executes a package from the npm registry without version pinning. - [COMMAND_EXECUTION]: Several tools in the repository execute shell commands through the
subprocessmodule.tools/research/transcribe_audio.pyandtools/research/download_subtitles.shinvoke theyt-dlpbinary to download and process remote URLs.tools/feishu_mcp_client.pyalso executesnpxto communicate with Feishu services. - [DATA_EXFILTRATION]: The skill is designed to retrieve sensitive organizational data. It prompts for and stores API tokens for Feishu, Slack, and DingTalk in the user's home directory (
~/.colleague-skill/). It uses these tokens to pull extensive private data, including chat histories and internal documents, into the AI context. - [PROMPT_INJECTION]: The skill has a high attack surface for indirect prompt injection into the agents it creates. \n * Ingestion points: Content is collected from Feishu, Slack, and DingTalk via
tools/feishu_auto_collector.py,tools/slack_auto_collector.py, andtools/dingtalk_auto_collector.py. \n * Boundary markers: The prompts in theprompts/directory structure the extraction, but the finalSKILL.mdtemplates intools/skill_writer.pyinterpolate raw extracted content without using explicit delimiters or warnings to ignore embedded instructions. \n * Capability inventory: The generated AI skills are designed to use high-privilege tools such asBash,Read, andWrite. \n * Sanitization: No deterministic sanitization is performed on the raw data to remove potential prompt injection payloads before they are adopted by the new agent's system instructions. - [EXTERNAL_DOWNLOADS]: The skill downloads media from arbitrary URLs provided by the user using
yt-dlpand fetches Node.js packages from the public npm registry.
Audit Metadata