feishu-bot

Security checks across malware telemetry and agentic risk

Overview

This Feishu skill has legitimate document and messaging features, but it bundles extra scripts that can use hardcoded tokens, chats, local Desktop files, and live Feishu writes beyond clear user-directed control.

Install only after reviewing and removing the extra test/demo scripts with hardcoded tokens, document IDs, chat IDs, Desktop scanning, and preset outbound messages. Use fresh Feishu credentials with minimal scopes, confirm every recipient/document/file before running commands, and avoid running scripts that infer local files or send data to fixed chats.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (34)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documentation introduces additional capabilities—searching users/chats, reading group messages, and uploading local files—that are not covered by the manifest’s stated scope. In a skill system, undocumented expansion of scope is dangerous because operators may invoke the skill assuming a narrower, safer capability set than it actually has.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script includes user/chat enumeration and chat message-history retrieval features that go beyond the stated messaging purpose of the skill. In an agent context, this scope expansion increases the chance of unauthorized data discovery and bulk exposure of conversation contents, especially because retrieved messages are printed directly to stdout.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The send_file path can open any local filepath and upload its contents to a Feishu chat, enabling arbitrary local file exfiltration. In an agent skill, this is particularly dangerous because a prompt or indirect instruction could cause sensitive files, credentials, or documents to be transmitted off-host without meaningful restriction.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script does more than its apparent purpose of fetching chat messages: it automatically creates a new Feishu document and copies historical chat content into it. That broadens data exposure and creates an undocumented persistence/export path for potentially sensitive conversation data, which is especially risky in a skill whose stated purpose does not clearly include chat archiving.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code reads historical messages from a hard-coded group chat ID, enabling access to a fixed conversation regardless of user intent. In the context of this skill, which is described around sending messages and document operations, silent retrieval of past group communications is an over-privileged and privacy-invasive capability.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This script performs local Desktop file discovery, reads a matching .xlsx, and rewrites it, which is unrelated to the stated Feishu document/message operations skill. Capability drift like this is dangerous because an agent invoking the skill could unexpectedly access and modify local user files outside the declared trust boundary, increasing the risk of unauthorized data tampering or misuse.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code enumerates Desktop files and selects an .xlsx by size, then operates on it without the user specifying the file. This creates unauthorized local file targeting behavior that can affect arbitrary matching files and is especially concerning in a skill whose purpose is supposed to be remote Feishu document and messaging actions, not local filesystem manipulation.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script uploads a locally generated spreadsheet to Feishu and sends it to a hard-coded chat ID, creating an outbound data-transfer channel that is not clearly constrained by user input or explicit authorization. In the context of a Feishu document/message skill, this is dangerous because it can exfiltrate local business data to a predetermined recipient without meaningful runtime consent or destination validation.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script reads a spreadsheet directly from a local desktop path, giving the skill access to local files outside a narrowly defined Feishu document-editing workflow. In this skill context, local file ingestion is more dangerous because the same script later uploads the processed contents externally, enabling accidental or unauthorized exfiltration of sensitive workstation data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script sends a hard-coded news broadcast to a fixed chat ID, which does not match the skill's declared user-directed Feishu document and messaging operations. This creates an undeclared automated messaging capability that could be abused for spam, propaganda, or covert notifications without user intent or runtime approval.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: The script reads credential material from a hard-coded local filesystem path, which is brittle and expands access beyond what a user would expect from a Feishu document/message skill. In this context, undeclared local file access is risky because it can expose secrets, tie execution to a specific operator environment, and conceal credential usage from users.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The script performs real POST requests that append blocks to a specific Feishu document using hardcoded identifiers, even though it is framed as a test. This creates unintended data modification capability and can alter production or shared documents without user consent, which is especially risky inside an automation skill that handles document operations.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script's behavior diverges from the stated Feishu document/message skill purpose by selecting a local Desktop .xlsx file and uploading it to Feishu. In an agent skill context, undisclosed local file access plus exfiltration to a remote API is dangerous because it can move user data off-device without clear user intent or scope restriction.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script enumerates files on the user's Desktop and reads a matching spreadsheet, which is unnecessary for the declared purpose of document/message operations. Desktop enumeration is a sensitive local-data access pattern, and in an agent environment it increases the risk of collecting unrelated private files for later transmission.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script enumerates the user's Desktop and selects a local .xlsx file by size without any user selection, consent, or clear linkage to the declared skill behavior. In the context of a Feishu document/message skill, silently probing local files is more dangerous because it expands capability from cloud document operations into local data discovery, creating clear data-exfiltration risk.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The code uploads a local spreadsheet to Feishu IM file APIs, but the skill description only discusses document edits, row/column updates, queries, and sending messages. That mismatch makes the behavior especially risky: an operator invoking document or message actions would not reasonably expect arbitrary local desktop files to be transmitted to an external service.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrase "发消息给群" is ambiguous because it does not specify platform, destination scope, or approval expectations. In a messaging skill, this can lead to accidental routing of generic requests into a capability that can contact real group chats, potentially causing privacy breaches or reputational harm.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrase "发消息给群" is ambiguous because it does not specify platform, destination scope, or approval expectations. In a messaging skill, this can lead to accidental routing of generic requests into a capability that can contact real group chats, potentially causing privacy breaches or reputational harm.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents permanent document deletion but provides no warning, confirmation requirement, or recovery guidance. For destructive remote operations, absence of a confirmation barrier materially increases the risk of user error or prompt injection causing unintended deletion.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The messaging section omits privacy and consent warnings despite supporting outbound messages and retrieval of group message history. In context, this is more dangerous because chat history access and message sending involve third-party communications and potentially sensitive personal or business data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script performs irreversible document deletion immediately when given a document token, with no confirmation prompt, dry-run mode, or secondary verification of the target document. In an agent skill context, this increases the chance of accidental or prompt-induced destructive actions against user data, especially because document tokens can be passed programmatically without human review.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code reads local file contents and uploads them to an external Feishu API without any explicit warning or confirmation that local data is leaving the machine. This weakens user awareness and makes accidental disclosure of sensitive local content more likely in normal operation or via prompt manipulation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The message retrieval function fetches chat history and prints message bodies, sender identifiers, and metadata to stdout, which may expose sensitive conversation data to logs, terminals, or upstream agent tooling. In a skill environment, stdout is often captured, persisted, or shown to other components, amplifying the disclosure risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script exports collected chat messages into a newly created document without any explicit confirmation, warning, or destination review by the user. This can cause unintended disclosure, retention, and wider sharing of private group content, since documents often have different access patterns than chats.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script writes a new modified workbook to the Desktop with only console status messages and no explicit warning, confirmation, or rollback safeguards. Silent local file creation/modification can surprise users, overwrite expectations, and leak sensitive transformed content into a broadly accessible location like the Desktop.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal