Is lark-bot safe?

The skill provides upload_image() and upload_file() methods that accept arbitrary local file paths. An agent instructed to 'upload a file' could be tricked or prompted into uploading sensitive files (.env, SSH keys, source code) to Feishu servers, effectively exfiltrating data from the local machine.

The skill allows sending text, files, and rich content to any Feishu user or group chat by ID. This could be exploited to send sensitive data (environment variables, file contents, conversation history) to an attacker-controlled Feishu account.

The LarkBotListener component enables a persistent message listener that can receive and process incoming messages. If activated, an external Lark user could send commands to the agent through Feishu messages, creating a command-and-control channel that bypasses normal agent interaction boundaries.

Methods like get_user_info (accepts emails, phone numbers), get_group_list, and get_members_in_group expose organizational directory information that could be used for reconnaissance.

The skill description covers messaging, file management, user queries, and message listening — a very broad scope. This increases the likelihood the agent activates this skill for tasks where it shouldn't, potentially exposing Feishu API credentials or sending unintended messages.

The skill references pywayne.lark_bot and pywayne.lark_bot_listener from an external Python package. While the skill itself doesn't trigger installation, an agent following the documentation would need to pip install this package, which could contain arbitrary code.

This skill is benign as documentation alone, but if combined with skills that grant filesystem access, an agent could read sensitive files and then use this skill's upload/send methods to exfiltrate the contents to Feishu.