Feishu Card JSON v2

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Feishu card-sending integration, with the main risk being that users should avoid sending sensitive data to the wrong chat or person.

Install this only if you want an agent to send and update Feishu messages using your configured Feishu app. Verify chat or user recipients before sending, use least-privilege Feishu credentials, and avoid putting secrets, regulated personal data, or unnecessary sensitive business details in card fields or callback payloads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: This skill is designed to send interactive Feishu cards to chats or individual users and may include structured data, form fields, user identifiers, and callback payloads, but the description does not warn about privacy or data-handling constraints. That omission can lead operators to send sensitive personal, operational, or business data into Feishu without considering minimization, consent, retention, or recipient validation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal