飞书媒体发送

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Feishu media-sending helper with disclosed file and URL sending behavior, but users should verify recipients and files before use.

Install this only if you want the agent to send media through Feishu. Before each send, confirm the exact recipient, local file path or URL, and archive contents, especially for confidential documents, personal data, credentials, or group chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation text is broad enough to trigger on nearly any request about sending media in Feishu, which increases the chance the skill is invoked in situations involving sensitive local files or externally sourced content without sufficient user scrutiny. In a skill whose core function is exfiltrating files to an external messaging platform, overbroad activation materially raises the risk of unintended data transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explains how to send local files and remote media to Feishu but does not prominently warn that this transmits data outside the current environment to a potentially different chat or user. Because it supports arbitrary local file paths and external destinations, the missing disclosure and consent cues increase the risk of accidental leakage of sensitive files or unauthorized sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal