Security audit

Feishu Sync Obsidian Local

Security checks across malware telemetry and agentic risk

Overview

This Feishu-to-Obsidian sync skill has a coherent purpose, but it needs review because its local write helper is not safely confined to the vault and its persistence/automation behavior is unclear.

Review before installing. Use only with a deliberate VAULT_DIR, inspect SYNC-RULES.md, run a dry run first, and confirm every planned destination path before allowing writes. Avoid enabling any AGENTS.md append or weekly timer unless you explicitly want persistent automatic sync, and keep a vault backup until the path-containment issue is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill describes and relies on file reads/writes and likely environment-backed tool access, but it does not declare those capabilities explicitly. Undeclared capabilities reduce transparency and consent, making it easier for a user or reviewer to underestimate that the skill can inspect the vault and modify files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The described behavior omits material side effects: caching to /tmp, generating placeholder files for non-docx nodes, and recursively scanning the vault. These hidden behaviors increase the attack surface and can expose sensitive local content or leave artifacts outside the expected vault path, which is especially risky for a sync skill that users may trust with broad file access.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger phrase "同步文档" is broad enough to match unrelated user requests, which can cause the skill to activate unintentionally. Because this skill performs filesystem writes and directory creation, accidental invocation can lead to unauthorized or surprising modifications to the user's vault.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill text does not clearly warn that it will create directories and write files into the vault, even though that is a primary side effect. Missing disclosure undermines informed consent and makes accidental data modification more likely, particularly when paired with a broad trigger phrase.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document states that on network errors, files written before the interruption remain in place, but it does not warn that this can leave the vault in a partially updated and inconsistent state requiring manual review. In a sync skill, this can mislead users into trusting incomplete results, causing broken knowledge organization, missing documents, or decisions based on stale/partial content.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase "同步飞书" is broad and likely to overlap with normal conversation, which can cause the skill to activate unintentionally. In this skill, accidental activation is more dangerous because the documented workflow performs synchronization and writes files into the user's vault, so a casual mention could lead to unintended local changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template describes writing into the vault, creating directories automatically, maintaining sync state, and running on a scheduled basis, but it does not prominently warn users that the skill modifies the local filesystem. In the context of an Obsidian vault, silent or poorly disclosed file creation and periodic sync behavior can surprise users, overwrite organizational assumptions, and expand the impact of accidental activation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal