feishu-sheets-reader

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu Sheets integration, but it can use app credentials to modify or delete cloud spreadsheet data without documented confirmation or tight scope controls.

Review before installing. Use a least-privilege Feishu app, avoid broad Drive or production spreadsheet access until tested, and require the agent to confirm the exact spreadsheet token, sheet ID, and affected range before any write or delete operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents destructive actions such as deleting rows/columns and deleting worksheets, but provides no guidance to require explicit user confirmation, summarize the affected range, or warn about irreversible changes. In an agent setting, this increases the risk of accidental data loss from ambiguous prompts, misunderstanding of indices, or misuse of the tool on the wrong spreadsheet or sheet.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal