飞书文档搜索助手

Security checks across malware telemetry and agentic risk

Overview

This Feishu document-search skill has a plausible purpose, but it exposes Feishu credentials and can automatically send some questions outside the configured document space.

Review carefully before installing. Do not use this version unless the Feishu secret has been removed and rotated, the workspace and owner override are intentionally yours, triggers are narrowed, and any forwarding to another bot or person is explicitly approved by users before content is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill advertises itself as searching a configured Feishu document space, but its documented behavior can forward user questions to another bot/person and external technical space. This creates an undocumented data-flow expansion: user prompts and possibly sensitive business questions may be transmitted outside the configured scope, violating least privilege and user expectations.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The skill contains contradictory security boundaries: it says all answers must come from the configured document space, yet elsewhere it forwards some queries to an external technical space/person. Such contradictions are dangerous because operators and users may rely on the narrower promise while the skill actually permits broader sharing of potentially sensitive queries.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The file embeds a live Feishu App ID and App Secret directly in the skill documentation. Hardcoded credentials can be harvested by anyone with access to the skill, used to mint tenant access tokens, and then abused to access Feishu APIs and tenant data depending on the app's permissions.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The config explicitly grants the owner "full_access" and states they can "ask any question," which exceeds the documented scope of searching a specific Feishu document space. In an agent setting, this creates a privilege bypass path where one identity may coerce the skill into handling out-of-scope requests or exposing data/functions not intended by the manifest.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is described as a document search assistant, but the configuration enables forwarding certain technical questions to another bot. This expands data flow and behavior beyond the declared purpose, creating a risk of unintended disclosure of user prompts or retrieved content to a separate agent with different permissions or safeguards.

Vague Triggers

High

Confidence: 88% confidence
Finding: The trigger conditions include very broad everyday terms like '文档', '资料', '知识库', '手册', and '指南', which can cause the skill to activate on unrelated user messages. Over-triggering is risky here because activation may initiate document traversal, configuration collection, or forwarding behavior, increasing the chance of unintended data access or disclosure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The top-level activation rule, 'when the user expresses search/query knowledge intent,' is too vague for a skill with access to documents and optional cross-space forwarding. Ambiguous routing can lead to unintended invocation and unnecessary exposure of user queries or internal document metadata.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger configuration is effectively open-ended because both `trigger_keywords` and `trigger_semantic` are blank/defaulted, while the skill description says it should auto-trigger on search/query intent. In an agent environment, underspecified activation can cause the skill to run on broad user inputs and access document-space search functionality unexpectedly, which increases the chance of unnecessary document exposure or unintended invocation.

Ssd 1

Medium

Confidence: 93% confidence
Finding: The natural-language note says the owner has full functionality and can ask any question, which can act as an informal policy override that supersedes normal scope limits. In LLM-driven systems, such embedded permission language is especially dangerous because downstream components may interpret it as authorization, leading to out-of-scope responses or data access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal