Back to skill

Security audit

Feishu Image Sender 飞书发图指南

Security checks across malware telemetry and agentic risk

Overview

This skill is a Feishu messaging guide that can send bot messages and upload selected files, and its instructions disclose that behavior.

Install only if you want the configured Feishu bot to send messages and upload selected images or files. Double-check chat IDs, recipients, captions, and absolute file paths before sending, especially for confidential business files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation phrases are broad and include generic keywords such as '发送图片', '飞书消息', and API-scope-like terms such as 'im:resource' and 'image_key', which can cause the skill to trigger outside the user's intended context. In an agent environment, unintended invocation can route user content or files into Feishu messaging actions, increasing the risk of accidental data disclosure or unintended outbound communication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.