feishu native speech bubble generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Feishu voice-message helper, but users should review its installer and require confirmation before it sends audio messages.

Install only if you want an agent to generate and send Feishu voice bubbles. Review setup.sh first, keep Feishu bot permissions minimal, and require explicit confirmation of the target chat and message before sending generated audio or onboarding voice samples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger word "语音" is extremely broad and commonly appears in ordinary chat, so the skill may activate when a user merely discusses voice messages or audio in general. In this skill, unintended activation is more dangerous because activation can lead to tool use, dependency setup guidance, TTS generation, file conversion, and message sending without the user specifically asking for this workflow.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Repeating the same overly broad trigger in the markdown trigger list reinforces an activation policy that is insufficiently constrained. Because this skill performs multi-step actions involving external tools and outbound messaging, accidental invocation can cause unintended file generation and message dispatch, not just harmless text output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal