Security audit

feishu-weekly-report-merger

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the stated Feishu weekly-report merge, with a real but disclosed temporary-file handling risk users should manage.

Install this only if you are comfortable letting the agent read the selected Feishu reports and create a merged Feishu document. Confirm the exact source documents before running it, check the new document’s sharing permissions, and ensure /tmp/merge_doc_*.md files are removed after the merge because they can contain full report text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs saving full source document contents to predictable local temporary files under /tmp without warning about persistence, access scope, or cleanup. For weekly reports that may contain sensitive business data, this creates a realistic confidentiality risk through residual data exposure, cross-process access on shared systems, or later recovery from disk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.