亚协瑜伽馆经营顾问yaxie--consultant

Security checks across malware telemetry and agentic risk

Overview

The skill’s purpose is coherent, but it packages reusable Feishu credentials and broad wiki access scripts that could expose a private business knowledge base.

Install only if you trust the publisher and are authorized to access the linked Feishu tenant. Treat the bundled app secret as exposed: it should be rotated and removed from the package. Users should also understand that the skill can list wiki metadata, reveal document object tokens, download documents, run local Python for parsing, and write extracted content to a chosen file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation directly exposes a Feishu App ID and App Secret, which are sensitive credentials that can be reused by anyone who can read the skill file. An attacker could use them to mint access tokens and access Feishu tenant resources, making this a direct credential leakage issue rather than a theoretical weakness.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script enumerates the entire Feishu wiki space and prints a full inventory of files, which exceeds the stated skill purpose of targeted knowledge lookup, reading, and summarization. Broad listing of internal content metadata can expose the structure and scope of a private knowledge base, making unauthorized discovery and follow-on access easier.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code prints each file's obj_token, which is an internal document identifier not needed for normal end-user knowledge queries. Exposing internal IDs can aid enumeration, correlation, and abuse of downstream APIs that accept those identifiers, especially when combined with valid credentials.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script builds a shell command with exec('python ' + pyFile) after writing a temporary Python file, creating an unnecessary subprocess execution path for document parsing. In an agent skill context, invoking external interpreters expands attack surface, depends on ambient system state, and can lead to command execution abuse if path resolution or surrounding environment is compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The PDF parsing path repeats the same risky design by generating a temporary Python script and executing it through the shell. This is especially concerning in a skill intended only to read knowledge-base content, because it introduces interpreter execution and dependency loading unrelated to the minimal trust boundary needed for file reading.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The script prints internal Feishu document identifiers (obj_token) to the user, exposing backend object references that are not necessary for a user-facing keyword search. Even if the tokens are not directly sufficient for access, they increase information disclosure and can aid enumeration, automation, or misuse in a broader attack chain.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Publishing live application credentials without any handling restrictions or operator warnings normalizes unsafe secret exposure and enables misuse by any reader. In this context, the absence of warnings is especially dangerous because the credentials appear sufficient to access a business knowledge repository and related Feishu resources.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script contains hardcoded Feishu APP_ID and APP_SECRET, allowing anyone with source access to obtain tenant access tokens and query the remote knowledge base. Embedded secrets are a direct credential exposure issue that can enable unauthorized API access, metadata harvesting, and potentially broader compromise depending on granted permissions.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The file hardcodes Feishu APP_ID and APP_SECRET directly in source code, exposing reusable credentials to anyone who can read the skill package or logs. If leaked, these secrets can be abused to obtain tenant access tokens and access or download protected enterprise documents, making the impact severe.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Hardcoded application credentials in source code are a real secret-management vulnerability. Anyone with access to the skill code can extract the Feishu APP_ID and APP_SECRET, obtain tenant access tokens, and query the connected wiki space, which is especially dangerous here because the skill is meant to access a business knowledge base containing operationally sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal