Back to skill

Security audit

科技投资日报

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can use stored Feishu credentials to automatically send generated investment reports to a fixed recipient.

Review before installing. Confirm the hard-coded Feishu recipient, restrict the Feishu app credentials to the minimum message/file permissions, require confirmation before scheduled or automatic sends, and verify the external PDF converter dependency. Treat the generated market analysis as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands and Python scripts but does not declare corresponding permissions. This creates a hidden capability gap where a caller or reviewer may not realize the skill can execute local code, write files, and interact with the host environment. In an agent setting, undeclared execution capability materially increases risk because it weakens permission review and user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads Feishu app credentials from a local config file and uses them directly to obtain tokens, upload files, and send messages to a hard-coded recipient. This is dangerous because it expands the skill from content generation into direct credential use and autonomous external communication, enabling unauthorized data transmission if the generated report or attached files contain sensitive information.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation scope is broad enough to trigger on generic requests like sending a daily investment report, which can cause the skill to perform network access, shell execution, file generation, and message sending without a narrowly defined intent boundary. Broad triggering increases the chance of accidental invocation and unintended outbound delivery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs file writes, shell execution, PDF conversion, and outbound uploads/messages without clear user-facing warning or consent around these system-impacting actions. In an agent environment, hidden side effects are dangerous because they can exfiltrate data, consume local resources, and trigger external communications unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
user_id = "ou_159cbb6a3791ff5a98f3a2a4b38e7d4c"
pdf_path = "/tmp/tech-invest-YYYYMMDD.pdf"

token = requests.post(
    "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal",
    json={"app_id": app_id, "app_secret": app_secret}
).json()["tenant_access_token"]
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
).json()["tenant_access_token"]

with open(pdf_path, "rb") as f:
    file_key = requests.post(
        "https://open.feishu.cn/open-apis/im/v1/files",
        headers={"Authorization": f"Bearer {token}"},
        data={"file_type": "pdf", "file_name": Path(pdf_path).name},
Confidence
95% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
files={"file": f}
    ).json()["data"]["file_key"]

requests.post(
    "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id",
    headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
    json={"receive_id": user_id, "msg_type": "file", "content": json.dumps({"file_key": file_key})}
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
user_id = "ou_159cbb6a3791ff5a98f3a2a4b38e7d4c"
pdf_path = "/tmp/tech-invest-YYYYMMDD.pdf"

token = requests.post(
    "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal",
    json={"app_id": app_id, "app_secret": app_secret}
).json()["tenant_access_token"]
Confidence
88% confidence
Finding
requests.post( "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal", json=

External Transmission

Medium
Category
Data Exfiltration
Content
files={"file": f}
    ).json()["data"]["file_key"]

requests.post(
    "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id",
    headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
    json={"receive_id": user_id, "msg_type": "file", "content": json.dumps({"file_key": file_key})}
Confidence
90% confidence
Finding
requests.post( "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id", headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.