Feishu Md2blocks

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Feishu document helper whose Feishu API use is expected, but users should review the missing permission documentation before installing.

Install only if you intend to let the agent operate on Feishu documents. Before use, verify the Feishu app scopes, avoid broad workspace permissions, and treat replace/overwrite document actions as requiring explicit user confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly directs users to run a Python script that makes outbound API calls to Feishu, so it has network-capable behavior despite no declared permissions being present. Missing permission declarations undermine least-privilege review and can hide the skill's operational scope from auditors and users, increasing the chance of unsafe deployment or over-trust.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal