Back to skill

Security audit

yuqing-bitable-and-label

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated XiaoAi-to-Feishu sync and labeling work, but it handles credentials, remote writes, cached tokens, and optional third-party model calls in ways users should review carefully.

Install only if you are comfortable granting write access to the target Feishu Bitable and supplying Feishu/XiaoAi secrets. Use least-privilege Feishu app credentials, prefer an HTTPS XiaoAi base URL, keep .env and .cache private, avoid the included shell scripts on untrusted files, and do not set OPENAI_API_KEY unless the record contents are allowed to leave your Feishu/XiaoAi environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The CLI presents the tool as a simple incremental sync entrypoint, but it can also perform LLM-driven labeling that modifies Feishu Bitable contents. This hidden secondary capability increases the chance of users invoking a broader data-processing workflow than they intended, including sending synced records into an LLM-mediated labeling path.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The optional labeling feature is functionally distinct from the apparent sync purpose and is only exposed through extra flags near the end of the script. In a security-sensitive agent skill, this creates a scope-expansion risk because data copied for synchronization may also be passed into an LLM-assisted enrichment flow that changes records or exposes data to additional processing.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill is framed as a social-media brand-risk classifier, but these lines also enforce internal assistant behavior rules such as how the model must describe executives, products, news, identity, and prompt secrecy. That mixes moderation with covert policy enforcement and can cause user content to be labeled risky merely for exposing or discussing internal constraints, suppressing legitimate reporting and creating misaligned classification behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly requires sensitive credentials (Feishu APP_ID/APP_SECRET and Xiaoai token) and describes synchronizing data to external services, but it does not clearly warn users that secrets will be used for outbound API calls or that Xiaoai data will be transmitted into Feishu. In a skill ecosystem, this lack of disclosure increases the risk of unintended credential exposure, unauthorized data export, and misuse of production data by operators who may not fully understand the network and data-handling behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends record contents such as title, body, extracted frame text, author, channel, follower count, and keywords to an external LLM gateway when OPENAI_* variables are configured, but there is no explicit notice, consent, or gating in the skill output. This creates a real data-exposure risk because potentially sensitive user-generated content is transmitted to a third party outside Feishu without transparent disclosure or minimization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Feishu tenant access token is cached in a predictable local file under .cache/tenant_token.json with no file-permission hardening, encryption, or user disclosure. On multi-user systems or compromised hosts, another local process or user could read the token and use it to access or modify Feishu resources with the app's privileges until expiration.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The CLI collects highly sensitive values including app credentials, API tokens, customer identifiers, and a target Bitable URL, yet provides no explicit warning that data will be fetched from one service and written into another, with optional LLM-based labeling afterward. This can lead to accidental credential exposure in shell history and uninformed transmission of sensitive business data to external systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The health-check routine sources the local .env file with `. "$SCRIPT_DIR/.env"`, which executes arbitrary shell code in that file, not just variable assignments. If an attacker can modify .env or convince a user to run this command in a compromised checkout, the health check becomes a code-execution path and may also load sensitive credentials into the shell environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sources secrets from .env and then passes them as command-line arguments to python3 main.py. On most systems, process arguments are visible to other local users via tools like ps or /proc, which can expose APP_SECRET, tokens, and other credentials.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill hard-codes Chinese-language behavior and output without any user language negotiation or opt-in, which can override user expectations and reduce transparency about how the agent will respond. While this is not a classic security exploit, it is a real prompt-safety and usability issue because it can be used to constrain or manipulate downstream behavior in ways the user did not request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt marks broad negative commentary, privacy allegations, malfunction reports, and after-sales complaints as brand-safety risk with no balancing allowance for truthful, good-faith consumer complaints or safety reporting. In practice this can be used to systematically suppress legitimate incident reports, product defect claims, and privacy concerns about Xiaomi/XiaoAi, undermining trust-and-safety review and hiding real harms.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.