Back to skill

Security audit

每日英语诗歌推送

Security checks across malware telemetry and agentic risk

Overview

The Feishu sending behavior appears to be part of the skill’s stated notification/publishing purpose, not hidden data theft.

Install only if you intend the skill to send generated or gathered content to Feishu. Configure the destination channel and credentials yourself, and avoid using it with private or regulated data unless you are comfortable with that data being posted to the selected Feishu destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automatically sends gathered and generated content to Feishu, but it does not provide an explicit user-facing notice that information will be transmitted to an external messaging platform. This creates a data-governance and privacy risk, especially if fetched content, metadata, or future user-supplied inputs are included in outbound messages without clear consent or visibility.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.