Context-Inappropriate Capability
Medium
- Confidence
- 90% confidence
- Finding
- The script accepts an arbitrary user-supplied URL and downloads it over HTTP or HTTPS with no allowlist, content-type validation, size limits, timeout handling, or redirect/IP restrictions. This creates an SSRF-style primitive and can be abused to access internal services, fetch unexpected content, or cause resource exhaustion before the file is uploaded onward to Feishu.
