Security audit

feishu-card-sender-beautify 飞书推送展示卡片脚本

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, transparent Feishu card-message helper; its outbound messaging ability is disclosed and matches its purpose.

Install only if you want an agent to help compose and send Feishu Interactive Card messages. Before sending, confirm the recipient ID and type, message content, button URLs, and any scheduled workflow that may trigger delivery; grant the Feishu bot only the permissions and audience needed for that use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are broad and loosely defined, including generic cases like '用户要求发送卡片消息' and '格式化通知需求', which can cause the skill to activate in situations beyond the author's intended scope. In a messaging skill that can send outbound Feishu interactive cards, overbroad activation increases the risk of unintended message sending, notification spam, or use in workflows where explicit user confirmation and destination validation were not performed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal