Feishu Voice

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: turns provided text into audio and sends it as a Feishu voice message, with expected privacy caveats.

Install only if you intend your text to be processed by the configured TTS dependency and the resulting audio to be uploaded and sent through Feishu. Use a trusted coze-tts installation, least-privilege Feishu bot credentials, and avoid sending secrets, regulated data, or sensitive business content unless that data flow is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends user-provided text to the external Coze TTS service and uploads generated audio to Feishu, but the documentation does not clearly and prominently warn that both text content and derived audio leave the local environment. This can lead users to unknowingly transmit sensitive, proprietary, or personal information to third parties, creating privacy, compliance, and data-governance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal