Back to skill

Security audit

Feishu Drive

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Feishu Drive helper, but it can move or delete cloud files so users should confirm exact targets before changes.

Install only if you intend to let the agent operate on Feishu Drive. Use least-privilege Feishu access where possible, verify the actual feishu_drive tool provider, and require the agent to show the exact file or folder name/path and get explicit confirmation before moving or deleting anything important.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example invocations are generic enough to trigger the skill for broad requests like listing, moving, or deleting files without clarifying scope, confirmation, or ownership boundaries. In a file-management skill with destructive actions, overly broad activation language increases the chance of the agent selecting this skill in ambiguous contexts and performing unintended operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises delete capability but provides no warning that deletion is destructive, may be irreversible, or should require explicit user confirmation. In the context of cloud storage management, this omission materially increases the risk of accidental or over-broad deletion of user files and folders.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.