Security audit

让飞书可以发图片消息

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Feishu image-message sender, with no hidden persistence or unrelated behavior found, but its documentation overstates some supported features.

Install only if you are comfortable giving these scripts a Feishu app ID and secret that can send messages under that app's permissions. Use a least-privilege Feishu app, keep the secret out of repositories and logs, use trusted image URLs, and be aware that chat_id/user_id delivery may not work until receive_id_type is made configurable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The skill description overstates functionality and understates actual behavior, which can mislead users about what data flows occur and what identifiers are supported. Security-relevant mismatches reduce user ability to assess risk and can cause messages or data to be sent in unintended ways, especially if the implementation hardcodes receive_id_type=open_id while claiming broader recipient support.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Fetching remote image URLs means the skill may contact arbitrary third-party hosts, exposing the user's IP/network metadata and pulling untrusted content into the workflow. Sending the fetched image and accompanying text to Feishu is also a data-transfer action that users should be warned about, especially in enterprise or sensitive environments.

External Transmission

Medium

Category: Data Exfiltration
Content: source "${SCRIPT_DIR}/config.sh" # Get token from Feishu API response=$(curl -s -X POST "${FEISHU_AUTH_ENDPOINT}" \ -H "Content-Type: application/json" \ -d "{ \"app_id\": \"${FEISHU_APP_ID}\",
Confidence: 70% confidence
Finding: curl -s -X POST "${FEISHU_AUTH_ENDPOINT}" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal