Security audit

Feishu Bitable Tasker

Security checks across malware telemetry and agentic risk

Overview

This Feishu automation skill appears purpose-aligned, but it needs Review because it handles powerful Feishu credentials and write/delete authority with weak scoping and warnings.

Install only if you are comfortable giving this skill a dedicated Feishu app with the listed Bitable/wiki/doc permissions. Use a test or isolated workspace first, do not paste real App Secrets into chat, store credentials outside shared or synced folders with strict permissions, verify every app_token/table_id before running deletion commands, and treat the validator as a write test against real Feishu data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The README presents a stronger security boundary than the documented OAuth scopes actually provide. Tenant-level `bitable:app`, `wiki:wiki`, and `docx:document` permissions can enable access beyond a single table/document set depending on platform authorization behavior, so users may over-trust the skill and expose more workspace content than intended.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The FAQ provides a ready-to-run API deletion command that can permanently remove a Feishu Bitable table, but it does not include an explicit warning about irreversible data loss, scope, or the need to verify the target app_token/table_id before execution. In an AI-assisted workflow, users or agents may copy and run the snippet directly, increasing the risk of accidental destructive actions against production data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs users to grant tenant-level read/write scopes for bitable, wiki, and documents, but does not explain what data the app can access, how broadly those permissions apply, or the risks of over-permissioning. In a task-management skill that integrates with external tools, these broad scopes could expose or modify knowledge-base content beyond the minimum needed if the app is misused or compromised.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup requires users to grant the application '可管理' access on the bitable node to enable advanced operations, but it does not disclose that this elevated permission can allow broader administrative actions than ordinary editing. Because the skill automatically creates and organizes wiki/doc content, this increased control could be abused to alter structure, content, or permissions if the app behaves unexpectedly or is compromised.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README tells users to paste the App Secret directly into an agent prompt, which can expose a long-lived credential to the model, chat history, logs, transcripts, or downstream tooling. If that secret is captured or mishandled, an attacker could impersonate the Feishu app and access or modify authorized resources.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to collect Feishu App ID and App Secret from the user and store them in a local JSON file, but it does not include strong safeguards such as masking, secret-handling warnings, storage protection, or guidance to avoid exposing the values in chat/logs. In an agent setting, this creates a real risk of sensitive credential disclosure through conversation history, terminal history, workspace files, or later tool access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The validator prints a partial access token to the console during authentication testing. Even partial secret disclosure can aid token correlation, leak into CI logs or shell history captures, and normalize unsafe credential handling in a tool that processes real Feishu app secrets and tokens.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script is presented as a configuration validator, but it performs live remote actions: creating records, updating them, and creating documents in Feishu. Users may run it expecting read-only validation and unintentionally modify production data, which is especially risky in an agent skill intended for task management integrations.

Credential Access

High

Category: Privilege Escalation
Content: > 提醒用户：需要在知识库中的多维表格上添加应用（"..." → "更多" → "添加文档应用"），并将权限设置为**"可管理"**（默认"可编辑"权限不足）收集完成后，写入 `config/credentials.json`（如果用户指定了凭证文件名，则写入 `config/<用户指定的名称>.json`），然后执行配置： **执行配置**
Confidence: 91% confidence
Finding: credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.