calendar (v4)

Name: cli/lark-calendar
Author: larksuite

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill permits arbitrary code execution and command injection via system

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

calendar (v4): **CRITICAL — 开始前 MUST 先用 Read 工具读取 [`../lark-shared/SKILL.md`](../lark-shared/SKILL.md)，其中包含认证、权限处理** **CRITICAL — 所有的 Shortcuts 在执行之前，务必先使用 Read 工具读取其对应的说明文档，禁止直接盲目调用命令。** **CRITICAL — 凡涉及【预约日程/会议】或【查询/搜索会议室】，第一步 MUST 强制使用 Read 工具读取 [`references/lark-calendar-schedule-meeting.md`](references/lark-calendar-schedule-meeting.md)。禁止跳过此步直接调用 API 或 Shortcut！** **CRITICAL — 术语约束：用户日常表达中常说的“帮我约个日历”、“查一下今天的日历”等，其实际意图通常是针对日程（Event）的创建或查询，而非操作日历（Calendar）容器本身。请自动将口语化的“日历”意图映射为“日程”操作（如 `+create`, `+agenda`）。** **CRITICAL — 会议与日程的意图路由：** - **查询过去时间的会议**：如果用户明确查询过去时间的会议（如“昨天的会议”、“上周的会议”），**优先使用 [`../lark-vc/SKILL.md`](../lark-vc/SKILL.md) 搜索会议记录**。因为会议数据不仅包含从日程发起的视频会议，还包含即时会议，仅查询日程数据会导致结果不全。 - **查询日历/日程或未来时间的会议**：如果用户明确表达的是“日历”、“日程”，或者涉及**未来时间**的安排，则属于本技能（lark-calendar）的业务域，请继续使用本技能处理。

Actually does

This skill utilizes the `lark-cli` tool to manage Lark calendar data. It enables operations such as creating, reading, updating, and deleting calendars and events, managing event attendees, querying user free/busy status, and finding available meeting rooms. It mandates reading specific `.md` documentation files for authentication, permissions, and workflow guidance, especially for scheduling and meeting room bookings.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namelarksuite/cli/lark-calendar

Registrygithub

Version5fa68ccaa04e

PURLpkg:github/larksuite/cli@5fa68ccaa04e?skill=lark-calendar

Stars7,923

Installs57,200

Source

Repository ↗SKILL.md ↗

SHA-256f03745613de0...

SHA-16d10387b9bea...

MD5cb5992bc2430...

TLSHb532fa4f7c5b...

ssdeep192:/goqu2EV...

Size11,121 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/larksuite/cli/tree/main/skills/lark-calendar

57,200 installs

Skills.shDocs

npx skills add https://github.com/larksuite/cli --skill lark-calendar

Assessments (4)

AI Agent Traps ↗

Arbitrary Command and Script Executioncriticalcommand execution

The skill explicitly allows the execution of the 'lark-cli' binary and general 'system commands or script code'. This capability can be leveraged for arbitrary code execution, reverse shells, data exfiltration, or other malicious activities.

100% confidenceline 10

bins: ["lark-cli"]
lark-cli calendar <resource> <method> [flags]
务必调用系统命令或脚本代码等外部工具进行处理

Potential for Resource Abuse via External Scriptsmediumresource abuse

The instruction to use 'system commands or script code' for date/time conversions, combined with the ability to perform 'batch' operations (e.g., `+room-find` after `+suggestion`), creates a potential for resource exhaustion or denial-of-service if the external scripts are malicious or poorly implemented.

90% confidenceline 50

务必调用系统命令或脚本代码等外部工具进行处理
再将时间块传给 `+room-find`

Lack of Explicit Input Sanitization Guidancemediumcommand execution

The skill does not provide explicit instructions or mechanisms for sanitizing user-provided input before it is passed to `lark-cli` commands or other 'system commands or script code'. This absence could lead to command injection vulnerabilities.

80% confidenceline 10

lark-cli calendar <resource> <method> [flags]
务必调用系统命令或脚本代码等外部工具进行处理

External Knowledge Dependency (RAG Poisoning Risk)highrag poisoning

The skill mandates reading external Markdown files (e.g., `../lark-shared/SKILL.md`, `references/lark-calendar-schedule-meeting.md`) using a 'Read tool'. If these external files are compromised, they can inject malicious instructions or data into the agent's knowledge base, influencing its reasoning and actions.

100% confidenceline 15

CRITICAL — 开始前 MUST 先用 Read 工具读取 [`../lark-shared/SKILL.md`]
BLOCKING REQUIREMENT ... 优先使用 Read 工具完整读取 [`references/lark-calendar-schedule-meeting.md`]

Prompt Injection Detectedmediumprompt injection

DeBERTa classifier detected prompt injection (confidence: 0.55)

55% confidence

Strong Semantic Guardrails for Workflow Enforcementinfooversight evasion

The skill uses highly authoritative and restrictive language ('CRITICAL', 'MUST', 'BLOCKING REQUIREMENT', '严禁', '绝对禁止') to enforce specific workflows and prevent agent autonomy in certain decisions. While intended for correctness and safety, such strong directives could be repurposed for malicious semantic manipulation if the underlying goal was different.

100% confidenceline 15

CRITICAL — 开始前 MUST 先用 Read 工具读取
BLOCKING REQUIREMENT (阻塞性要求): 只要用户的意图包含…

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/larksuite/cli/lark-calendar.svg)](https://mondoo.com/ai-agent-security/skills/github/larksuite/cli/lark-calendar)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/larksuite/cli/lark-calendar"><img src="https://mondoo.com/ai-agent-security/api/badge/github/larksuite/cli/lark-calendar.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/larksuite/cli/lark-calendar.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow