Back to skill

Security audit

LarkSync Feishu Local Cache

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu-to-local-cache integration, but its WSL helper can send folder tokens to an auto-selected non-local backend and create enabled sync tasks.

Install only if you trust the LarkSync service this skill will contact. In WSL, verify the printed base URL before using create-task or bootstrap-daily, prefer an explicit trusted localhost or host address, keep download_only unless you deliberately want uploads back to Feishu, and review or delete scheduled sync tasks when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions while clearly instructing use of scripts that perform network access, local file interaction, and likely environment-dependent behavior. This creates a transparency and consent gap: an agent or reviewer may underestimate the skill's operational reach and allow actions that touch local paths, probe services, and send cloud folder tokens over HTTP APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose emphasizes local cache syncing, but the documented behavior includes backend health/auth checks, configuration changes, task creation, immediate execution, WSL endpoint probing, and optional remote base URLs. This mismatch is security-relevant because users may grant trust for a narrow read/cache function while the skill actually has broader control-plane capabilities that can alter sync modes, trigger uploads, and communicate with non-local services.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The helper automatically inserts --allow-remote-base-url whenever the selected or supplied base URL is non-loopback, silently bypassing a safety gate intended to require explicit user consent for remote backends. That weakens the trust boundary for a skill described as local-cache syncing, and could cause the tool to send requests, credentials, or synced document operations to a host the user did not knowingly authorize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.