Document mail allow/block sender commands#1741
Conversation
|
Caution Review failedAn error occurred during the review process. Please try again later. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/lark-mail/SKILL.md`:
- Around line 741-746: The sender-list scope table is over-permissive because
the `user_mailbox.allow_senders.list` and `user_mailbox.blocked_senders.list`
entries are read-only but are currently mapped to
`mail:user_mailbox.message:modify`. Update the permission mapping in `SKILL.md`
so the `list` rows use the appropriate readonly scope, while keeping
`mail:user_mailbox.message:modify` only for
`user_mailbox.allow_senders.batch_create`,
`user_mailbox.allow_senders.batch_remove`,
`user_mailbox.blocked_senders.batch_create`, and
`user_mailbox.blocked_senders.batch_remove`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 388ab9b8-c34e-4bbe-b341-fa372212029c
📒 Files selected for processing (2)
skill-template/domains/mail.mdskills/lark-mail/SKILL.md
| | `user_mailbox.allow_senders.list` | `mail:user_mailbox.message:modify` | | ||
| | `user_mailbox.allow_senders.batch_create` | `mail:user_mailbox.message:modify` | | ||
| | `user_mailbox.allow_senders.batch_remove` | `mail:user_mailbox.message:modify` | | ||
| | `user_mailbox.blocked_senders.list` | `mail:user_mailbox.message:modify` | | ||
| | `user_mailbox.blocked_senders.batch_create` | `mail:user_mailbox.message:modify` | | ||
| | `user_mailbox.blocked_senders.batch_remove` | `mail:user_mailbox.message:modify` | |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Split read-only sender-list lookups from write scopes.
allow_senders.list and blocked_senders.list are read-only operations, but the table assigns them mail:user_mailbox.message:modify. That overstates the required permission and will force callers to request write access just to inspect the lists. Keep modify for batch_create / batch_remove, and map the list rows to a readonly scope instead.
🧰 Tools
🪛 SkillSpector (2.3.7)
[error] 33: [P1] Instruction Override: This pattern attempts to override system instructions or ignore safety constraints. Without LLM analysis, manual review is recommended.
Remediation: Remove or rewrite any text that instructs the agent to ignore prompts, override safety rules, or trust unverified content. Ensure skill content cannot be injected to alter agent behavior.
(Prompt Injection (P1))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/lark-mail/SKILL.md` around lines 741 - 746, The sender-list scope
table is over-permissive because the `user_mailbox.allow_senders.list` and
`user_mailbox.blocked_senders.list` entries are read-only but are currently
mapped to `mail:user_mailbox.message:modify`. Update the permission mapping in
`SKILL.md` so the `list` rows use the appropriate readonly scope, while keeping
`mail:user_mailbox.message:modify` only for
`user_mailbox.allow_senders.batch_create`,
`user_mailbox.allow_senders.batch_remove`,
`user_mailbox.blocked_senders.batch_create`, and
`user_mailbox.blocked_senders.batch_remove`.
Updates the mail command references so user mailbox allow/block sender operations are documented and discoverable.
Summary by CodeRabbit