Back to skill

Security audit

Feishu Doc

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does Feishu document work, but it has under-disclosed write, sharing, token-storage, hard-coded Bitable, and bundled-cache behaviors that users should review before installing.

Install only if you intend to grant this skill write-capable Feishu credentials, not just read access. Review and preferably remove or isolate helper scripts for permission grants, IM file downloads, hard-coded Bitable setup, and bundled cache files; use least-privilege Feishu app scopes and avoid shared on-disk token storage where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and relies on network access and environment-provided credentials, but does not declare corresponding permissions. This creates a transparency and consent problem: a user or platform may underestimate the skill's access to secrets and outbound communications, increasing the risk of unintended data exposure or unauthorized API use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill primarily as a reader/fetcher, but the documented and detected behavior includes creating documents, overwriting content, appending content, granting edit access, downloading files, and modifying Bitable structures and records. This mismatch is dangerous because users may invoke or install the skill expecting read-only behavior while it actually has broad write and sharing capabilities that can alter data or expand access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script performs a write operation against a Feishu document by calling documentBlockChildren.create, which appends remote content rather than merely fetching or converting it. In the context of a skill described as read-oriented ('Fetch content from Feishu... and converts content to Markdown'), this is a privilege/behavior mismatch that can enable unauthorized content tampering, data corruption, or misuse of the app's write-scoped credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code has the capability to modify a remote Feishu document using credentials loaded from the environment, even though the skill's stated purpose is content retrieval. This unjustified write capability increases the blast radius of compromise or misuse: an operator expecting read-only behavior could unknowingly allow document defacement, insertion of misleading content, or destructive workflow abuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The cached response clearly shows write-capable behavior via appended_blocks and text indicating the Feishu Doc skill fixed a missing append command, which conflicts with the stated read-only purpose of only fetching and converting content. This capability mismatch is dangerous because users or downstream agents may grant or invoke the skill under the assumption it is non-mutating, enabling unintended document modification or data tampering.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The fetched document content includes large volumes of unrelated internal system logs, code, and maintenance history rather than only the requested Feishu document body. For a document-fetching skill, this is an over-broad data exposure flaw that can leak workspace internals, prompts, operational state, and other sensitive context to any caller who only intended to read a document.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The returned content exposes internal agent telemetry such as session history, IDs, operational logs, and workflow records that are unnecessary for a Feishu document reader. This materially increases attack surface by disclosing sensitive internals that could aid prompt injection, targeting, privilege abuse, or reconnaissance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file performs write-capable actions by creating Feishu documents and optionally modifying sharing permissions, which materially exceeds the described skill purpose of fetching and converting existing content. In an agent context, this scope mismatch is dangerous because a user or upstream workflow expecting read-only behavior could unknowingly trigger document creation and access changes in their workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --grant option allows the code to assign edit access to an arbitrary supplied user ID, and the function suppresses errors instead of enforcing policy checks or approval gates. For a content-fetching skill, this is an unjustified privilege-changing action that could expose documents to unauthorized parties or enable tampering with newly created content.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script downloads arbitrary files from Feishu IM using a message/file identifier, which extends the skill's actual capabilities beyond the declared scope of Wiki, Docs, Sheets, and Bitable content. This creates a scope-creep data access risk: users or downstream systems may trust the manifest and grant the skill access in contexts where IM attachment retrieval is unexpected, potentially exposing chat files or sensitive attachments.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s stated purpose is read-only fetching/conversion, but the implementation exposes create, append, and overwrite operations, including destructive writes. This capability mismatch is dangerous because agents or users may invoke the skill under the assumption it is non-destructive, causing unauthorized modification or loss of Feishu document content.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The overwrite path deletes existing document children and replaces them with parsed content, which is far beyond a fetch-and-convert skill’s expected behavior. In an agent environment, hidden destructive capability substantially increases the risk of accidental or unauthorized data destruction if the skill is selected based on its misleading description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Document creation and append/edit operations are outside the advertised read/fetch scope, creating a privilege and expectation mismatch. Even when non-destructive compared to overwrite, these actions can still alter enterprise records or inject untrusted content into shared documents without users realizing the skill can write.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This helper reads Feishu credentials from multiple local .env locations and config.json, then later uses a shared on-disk token cache outside the skill directory. That broadens the skill's access beyond its stated fetch-and-convert purpose and creates unnecessary credential/token exposure to other local components or users on the same host.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code explicitly prioritizes a single hard-coded table ID (`tblJgZHOmPybgX60`) and even labels it as a specific person's table, causing the skill to retrieve that table regardless of broader user intent. In a document-fetching skill, this creates a strong risk of targeted unauthorized data access or covert exfiltration because the selection logic is intentionally biased toward one sensitive resource.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill description says it fetches and converts Feishu content, but this file also exposes appendDocxContent(), which performs an authenticated POST to modify documents. Hidden write capability creates a dangerous mismatch between declared and actual behavior, increasing the chance that users or downstream agents invoke document modification without informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs write operations against Feishu Bitable by creating fields and batch-inserting records, which materially exceeds a skill described as fetch/read-only for Feishu Docs and Wiki content. In an agent context, hidden state-changing setup code can violate least privilege, surprise operators, and modify tenant data without user awareness or authorization aligned to the advertised capability.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Provisioning and populating a Bitable table is not justified by a document-fetching skill and introduces unauthorized data creation capability. If executed in a real tenant, this can alter organizational data structures, create misleading records, and expand the blast radius from passive retrieval to active modification of shared workspace content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly supports overwrite, append, update, and delete-style block operations, but does not prominently warn that existing Feishu content may be modified or removed. In a document-management context, this increases the chance of accidental destructive actions, especially when an agent is acting on ambiguous prompts or the wrong token.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The file contains extensive persona prompts, dialogue rules, and voice metadata that strongly steer outputs into Chinese-language character roleplay without any evidence of user opt-in or runtime gating. In an agent skill, this can override user intent, reduce transparency, and create prompt-injection style behavior where retrieved content acts as hidden instructions rather than inert data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The overwrite flow attempts to delete existing document content before inserting new blocks, but there is no confirmation, preview, or safeguard to ensure the caller understands the operation is destructive. This can lead to irreversible content loss from prompt mistakes, token mix-ups, or agent mis-selection, especially in collaborative document systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script uses a tenant access token to enumerate Bitable tables and field metadata from remote Feishu resources and prints the results to stdout, but it provides no consent prompt, scope restriction, or disclosure that remote workspace metadata will be inspected. Even though it appears to be an internal inspection utility rather than overtly malicious code, enumerating schema information can expose sensitive business structure, project names, workflow fields, and option values that aid reconnaissance or leak internal metadata through logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists a valid tenant access token to disk in a shared memory path, which can allow other local processes, skills, or users to reuse the token until expiry if filesystem permissions are weak. Because this token grants API access, unauthorized reuse could expose Feishu data or enable actions under the tenant context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code appends content to a live Feishu document immediately once called, with no built-in confirmation, dry-run, or warning that the action is destructive/persistent. In an agent setting, that makes accidental or manipulated writes much more likely, especially because the skill is presented primarily as a fetch/conversion tool rather than an editor.

Ssd 4

High
Confidence
95% confidence
Finding
The content contains explicit recursive instructions for continuous autonomous self-modification, persistence, syncing, and propagation to new agents. If a downstream agent ingests this fetched text as actionable context, it could trigger unauthorized code changes, background task spawning, and persistent self-propagating behavior.

VirusTotal

No VirusTotal findings

View on VirusTotal