dingtalk-feishu-cn

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only DingTalk/Feishu integration guide with expected webhook and API examples, not hidden execution or persistence.

Use this skill only with DingTalk/Feishu workspaces and channels you intend to message. Keep webhook URLs, app IDs, app secrets, and tokens out of chats and logs, test in a low-risk channel first, and confirm that any alert/report content is allowed to leave the local environment and be visible in the target enterprise chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill includes concrete examples for sending data to external DingTalk/Feishu webhooks and using app credentials, but it does not adequately warn that message contents may leave the local environment and reach third-party enterprise platforms. In an agent setting, this can normalize outbound transmission of potentially sensitive operational data, secrets, or user content without clear consent or data-classification guidance.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal