Back to skill

Security audit

feishu-bot-ops

Security checks across malware telemetry and agentic risk

Overview

This Feishu bot operations skill is coherent, but it gives broad recovery and access-control instructions that can disrupt a live bot or weaken who can use it.

Install only if you administer the Hermes Feishu bot. Review the recovery script before running it, back up .env and config.yaml, avoid leaving GATEWAY_ALLOW_ALL_USERS=true or broad bot-to-bot settings enabled, protect Feishu app secrets and tenant tokens, and prefer targeted allowlist/config fixes plus graceful restarts where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as documentation, but it contains prescriptive operational commands that install packages, kill processes, delete lock files, modify configuration, and start services. That mismatch is dangerous because an agent or operator may treat it as read-only guidance while it actually normalizes impactful system changes and credential-related handling.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs operators to bypass protected credential-file safeguards by writing directly to `.env` from the shell. This undermines a platform safety control around secrets/config integrity and can lead to accidental credential corruption, unauthorized config changes, or secret exposure via shell history and logs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README tells users to execute a one-click recovery shell script directly from the skill directory, but it does not describe what the script changes, what permissions it needs, or what systems/files it may modify. In an agent-skill context, encouraging blind execution of a maintenance script increases the risk of unintended configuration changes, destructive actions, or abuse if the script contents are later altered.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Direct shell appends to `.env` are presented without warnings about duplicate keys, malformed files, permission issues, or secret integrity. In practice this can silently change authentication or authorization behavior and break service operation in ways that are hard to audit or roll back.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill offers one-click fixes using `pkill -9`, lock-file deletion, and background service restart without clearly warning about service interruption, killing the wrong matching process, or deleting state during active use. This raises the chance of avoidable downtime and can amplify an operational issue into a broader outage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The '安全重启' and multi-instance recovery sections normalize force-kill and file deletion as standard repair steps without explicit disclosure of downtime or possible message loss. In a messaging gateway context, restarting and breaking WebSocket connectivity can directly cause dropped events and service unavailability.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs operators to obtain a tenant access token using app credentials and immediately call Feishu APIs, but it does not warn about safe handling of those secrets or the sensitivity of the returned token. In an ops skill, this creates a real risk of credential exposure through shell history, logs, screenshots, pasted terminal output, or reuse in unsafe environments.

Ssd 3

Medium
Confidence
98% confidence
Finding
The guidance intentionally circumvents a protection that prevents automated modification of a credential-bearing file. Even if meant as troubleshooting advice, bypassing that safeguard weakens defense-in-depth and creates a path for unsafe configuration changes outside approved controls.

Ssd 4

Medium
Confidence
95% confidence
Finding
The troubleshooting guidance recommends weakening access controls to restore functionality, such as setting `GATEWAY_ALLOW_ALL_USERS=true` and disabling mention restrictions. In a bot/gateway context, that can expand who may interact with the system and increase exposure to unauthorized use, spam, or abuse.

Credential Access

High
Category
Privilege Escalation
Content
# 场景B:鉴权拦截
grep 'Unauthorized' $HERMES_HOME/logs/gateway.log | tail -3
# 如有输出 → .env 加 GATEWAY_ALLOW_ALL_USERS=true,重启

# 场景C:lark-oapi 未安装
<hermes_venv>/bin/python -m ensurepip 2>/dev/null
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
**预防**:不要同时开多个 hermes CLI 会话。用完 `/exit` 退出,别直接关终端。

### .env 写入保护

Hermes 的 `write_file` 和 `patch` 工具拒绝写入 `.env`(受保护的凭据文件)。变通方案:用 `terminal` 直接 shell 写入:
Confidence
98% confidence
Finding
.env

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# 场景A:多实例/锁文件冲突
pkill -9 -f 'hermes gateway run' 2>/dev/null; sleep 2
rm -f $HERMES_LOCAL_STATE/gateway-locks/feishu-app-id-*.lock
hermes gateway run 2>&1 &
sleep 5 && grep '✓ feishu connected' $HERMES_HOME/logs/gateway.log | tail -1
Confidence
97% confidence
Finding
rm -f $HERMES_LOCAL_STATE/gateway-locks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
pkill -9 -f 'hermes gateway'
sleep 2
rm -f $HERMES_LOCAL_STATE/gateway-locks/feishu-app-id-*.lock
hermes gateway run 2>&1 &
sleep 5 && grep '✓ feishu connected' $HERMES_HOME/logs/gateway.log | tail -1
```
Confidence
97% confidence
Finding
rm -f $HERMES_LOCAL_STATE/gateway-locks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**修复**:
```bash
rm -f $HERMES_LOCAL_STATE/gateway-locks/feishu-app-id-*.lock
```

### 多实例冲突
Confidence
94% confidence
Finding
rm -f $HERMES_LOCAL_STATE/gateway-locks/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**修复三步走**:
```bash
pkill -9 -f 'hermes gateway run'; sleep 2
rm -f $HERMES_LOCAL_STATE/gateway-locks/feishu-app-id-*.lock
hermes gateway run 2>&1 &
sleep 5 && grep '✓ feishu connected' $HERMES_HOME/logs/gateway.log | tail -1
```
Confidence
97% confidence
Finding
rm -f $HERMES_LOCAL_STATE/gateway-locks/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.