Feishu Connect

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is purpose-aligned for connecting a Feishu bot, but it temporarily handles Feishu registration session data that users should treat as sensitive.

Install this only if you intend to connect a Feishu bot. Verify that generated links stay on Feishu/Open Feishu domains, and avoid sharing device codes, pairing codes, cookies, client_id, or client_secret outside the intended setup flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to delete a local file and make authenticated network requests to a third-party Feishu endpoint while storing session cookies in /tmp, but it does not require any user notice or consent before doing so. This creates privacy and operational risk because registration/session data may be transmitted or left temporarily accessible on disk, and the user is not informed that the agent is initiating an external registration flow on their behalf.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal