documents
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell execution for the
larkCLI and extensively uses pipes to utilities likejqandgrep. This configuration creates a command injection surface if the agent interpolates untrusted user input—such as document IDs, folder tokens, or search queries—directly into the shell commands without adequate sanitization. - [COMMAND_EXECUTION]: The
lark doc downloadcommand includes an output path parameter (-o). This grants the agent the ability to write files to the local file system. If the agent is compromised or misled by malicious input, this capability could be used to overwrite sensitive system or configuration files. - [PROMPT_INJECTION]: The skill is designed to ingest and process content from external Lark documents, which are untrusted data sources. This establishes a surface for indirect prompt injection.
- Ingestion points: The
doc get,doc blocks,doc comments, andsheet readcommands inSKILL.mdretrieve external content into the agent's context. - Boundary markers: Absent. The skill lacks instructions or delimiters to help the agent distinguish between document content and its own system instructions.
- Capability inventory: The skill has the ability to execute shell commands (
lark,jq,grep), perform file writes (doc download), and execute API write operations (doc create,doc append). - Sanitization: Absent. There are no mechanisms described for sanitizing, validating, or escaping the content retrieved from external sources before it is processed by the agent.
Audit Metadata