Back to skill

Security audit

Feishu Wiki Doc Pipeline/飞书文档导入优化

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu/Lark document-download workflow, with expected local file writes and persistent authorization that users should manage carefully.

Install only if you intend to let the agent use your Feishu/Lark account to read wiki documents and download attachments. Choose a specific workspace download directory, avoid filenames that would overwrite important files, and review the persistent Feishu scopes if you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to download files to local disk and explicitly use overwrite behavior, but it does not require an explicit user confirmation or warning before writing files. In an agent setting, this can cause unintended modification of the local filesystem, overwriting existing user data or placing files in unexpected locations, especially given the documented Windows path pitfalls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.