Security audit

Feishu Group Chat

Security checks across malware telemetry and agentic risk

Overview

This skill can post, read, and upload images in Feishu groups using a user-authorized account, with broad proactive chat and identity-simulation behavior that deserves review before installation.

Install only if you intentionally want an agent to act in configured Feishu groups through a user-authorized account. Prefer a dedicated Feishu account, restrict configured groups and contacts, review contact memory files and config.json, avoid uploading sensitive local images, and make sure group participants understand that bot-prefixed messages may actually be sent under a human user identity.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This section expands the skill from simple group messaging into persistent contact memory management and mutation of local configuration files. That materially broadens data collection and state-changing behavior beyond the advertised purpose, increasing privacy risk and the chance of unauthorized profile building or accidental persistence of sensitive relationship data.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill directs autonomous scheduled messaging, message polling, and immediate replies based on recent group activity, which goes beyond a passive group-chat helper. This enables ongoing surveillance of chat activity and proactive posting without per-message user initiation, raising privacy, impersonation, and abuse concerns.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The documentation gives conflicting instructions about when `message` versus `feishu_im_user_message` should be used, despite earlier absolute prohibitions. In a skill designed to impersonate user identity and route replies differently by sender type, contradictory guidance can cause misdelivery, unintended identity spoofing, or bypass of notification expectations.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script reads agent identity from workspace files outside the declared inputs and silently injects that data into outbound group messages. This creates hidden data dependence on local files and can leak internal persona or operator metadata into chats without explicit user intent, which is especially risky in a messaging skill designed to impersonate user-originated bot speech.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script goes beyond message construction by reading global Feishu app credentials and directly obtaining an access token to upload local files. That expands the skill's privilege boundary from formatting content to using tenant-scoped API credentials, enabling unintended network actions and increasing the blast radius if the script is misused or modified.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly advertises persistent storage of contact preferences, styles, topics, and contact memory files, but it does not clearly warn users about the privacy and data-retention implications of storing potentially sensitive interpersonal data. In the context of a group-chat skill that operates under a user's identity and persists identifiers like open_id/chat_id plus behavioral memory, this increases the risk of collecting and retaining personal data without informed consent or clear handling guidance.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When given --image, the script silently transmits credentials to Feishu for token issuance and then uploads a local file to an external service, with no user-facing disclosure at execution time. In a skill intended for casual chat and '自拍/闲聊', this hidden exfiltration path is more dangerous because users may treat local image paths as harmless local processing when they actually trigger external transmission.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently reads sensitive appId/appSecret values from a global configuration file, creating an undisclosed dependency on privileged local secrets. Even if the credentials are not printed, the hidden use of tenant credentials to perform API operations violates least surprise and can enable unintended authenticated actions under the user's organization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal