Feishu Weekly Report Generator

Security checks across malware telemetry and agentic risk

Overview

This weekly-report skill is mostly coherent, but its local script builds a shell command from user-supplied options, which can run unintended commands.

Install only if you are comfortable running a local Node.js script. Use trusted date and repository path arguments, avoid letting untrusted text populate command options, choose output paths carefully, and review or redact generated reports before sharing them in Feishu or elsewhere.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises automatic collection of work data from sources like git commits, calendar events, and task completions without any privacy warning, consent guidance, or scope limitation. In practice, this could lead users or agents to gather sensitive internal project details, personal calendar content, or confidential task metadata and include them in a report unintentionally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Mentioning Feishu API-based document creation without warning that report contents and credentials may be transmitted to an external service creates a real risk of unintended data disclosure or mishandling of bot tokens. Users may not realize that exporting through an API changes the trust boundary and can expose sensitive work summaries or secrets if tokens are mismanaged.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal