Back to skill

Security audit

Feishu Card

Security checks across malware telemetry and agentic risk

Overview

This Feishu messaging skill mostly matches its purpose, but it has real command-injection and sensitive-content leakage risks that users should review before installing.

Install only after hardening or running it in an isolated environment. Replace execSync command strings with spawn/execFile argument arrays or direct function calls, validate target/title/color/event fields, remove or clearly disclose smart path inference for --text, and reapply secret scanning before every outbound fallback. Use a least-privilege Feishu app token and avoid sending secrets, logs, code, or regulated data through this skill unless you intend that content to reach Feishu/Lark.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code performs a secret scan before sending the interactive card, but the outer catch block later reconstructs content and invokes a plain-text fallback without reapplying the same scan. That means a send failure on the primary path can still cause sensitive content to be transmitted, defeating the stated leak-prevention control.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script claims to be a safe wrapper, but it constructs a shell command string and passes user-controlled values (`target`, `color`, and especially `title`) into `execSync` with only double-quote wrapping. In a shell context, double quotes do not prevent command substitution such as `$(...)`, so an attacker can trigger arbitrary command execution by supplying crafted CLI input.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback logic resends message text over the network after an error, but it does not repeat the secret-detection check or warn the user that protections are no longer being enforced. In practice, any failure in card construction or delivery can turn into a silent exfiltration path for content that should have been blocked.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code executes a constructed shell command using untrusted CLI input without safe argument separation. Because the skill is a messaging helper likely to be reused in automation, this increases exposure: any upstream system or user able to influence these arguments may gain code execution on the host running the skill.

VirusTotal

No VirusTotal findings

View on VirusTotal