Back to skill

Security audit

feishu-message

Security checks across malware telemetry and agentic risk

Overview

This Feishu messaging skill mostly does what it says, but it includes under-disclosed chat-reading and chat-modifying powers, including an undocumented chat deletion script.

Install only if you are comfortable giving this skill Feishu app credentials that can read and modify chat data. Use a restricted Feishu app, review or remove disband_chat.js if deletion is not needed, avoid broad shared .env files, and treat terminal output and the token cache as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The helper is described as a lookup from user ID to chat ID, but it actually calls `client.im.chat.create`, which can create a new chat as a side effect. That mismatch is dangerous because a seemingly read-only operation can modify remote state, trigger unintended conversations, or be abused to create chats without clear user intent or authorization checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents commands that can send audio to Feishu targets and create new group chats, but it provides no warning that these are outbound, state-changing actions. In an agent setting, missing explicit warnings and confirmation guidance can lead to unintended data sharing, spam, privacy violations, or unauthorized chat creation if the skill is invoked with the wrong target or file.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script makes authenticated Feishu API calls to discover a user's P2P chat and enumerate pinned messages, then prints message-derived content to stdout without any access-control, authorization, or consent checks in the script itself. In an agent-skill context, this can enable silent collection of potentially sensitive workplace communications metadata and content if invoked on arbitrary user IDs.

VirusTotal

No VirusTotal findings

View on VirusTotal