Back to skill

Security audit

Feishu Whiteboard

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims for Feishu whiteboards, but it also includes under-disclosed scripts that can write to hard-coded Feishu boards and persists Feishu access tokens in a shared local cache.

Install only if you are comfortable reviewing and removing the hard-coded demo/debug scripts before use. Use a test Feishu tenant or board first, avoid running scripts other than the documented create/draw commands, and protect FEISHU_APP_ID, FEISHU_APP_SECRET, and the shared token cache file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill persists a shared Feishu tenant access token to a common file under ../../memory/feishu_token.json, creating cross-skill credential state. If other skills or local users can read that path, they may reuse the bearer token to access Feishu APIs within its validity window, causing privilege leakage and lateral movement across components.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill documentation explicitly supports creating and modifying Feishu Whiteboards, which are remote external resources, but it does not warn users that running the skill will change data in a third-party service. This can lead to unintended edits or object creation in production/shared workspaces, especially when users invoke demo commands or programmatic examples without realizing they are performing write operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs a remote write via addNodes() against a hard-coded board ID, with no prompt, validation, or user disclosure of which remote resource will be modified. This is dangerous because anyone running the skill may unknowingly alter a specific third-party board, and the embedded comment naming the board owner increases confidence that the target is a real external asset rather than a placeholder.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends a user-supplied wiki token in an outbound request and also prints the token to stdout, which can expose sensitive credentials in terminal history, CI logs, or centralized logging systems. Even if intended as a diagnostic probe, transmitting and logging bearer-like identifiers without warning or masking creates a real risk of credential disclosure and unintended access to the associated wiki resource.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script performs hard-coded remote mutations against a specific whiteboard and node IDs immediately on execution, with no user confirmation, validation, or dry-run mode. In an agent-skill context, that is dangerous because simply invoking the skill can alter shared remote data unexpectedly, and the embedded commentary shows awareness that the operation may leave the board in a partially broken state (for example, stale connectors left behind).

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal