Back to skill

Security audit

Lark Calendar Litiao

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Lark calendar and task tool, but it needs review because it has broad business-data authority and includes extra capabilities beyond its stated scope.

Install only if you trust the publisher and the Feishu tenant app credentials. Before use, verify the actual default calendar ID, confirm that every created event should include Boyang, restrict the Lark app scopes to the minimum needed, and consider removing the unused IM messaging helpers plus excess employee fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module fetches and stores additional directory attributes such as email, mobile, department IDs, and open_id even though the stated purpose is name-to-user_id resolution. This violates data minimization and increases privacy and abuse risk because any downstream code using this module can access broader employee directory data than necessary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Providing listEmployees and free-text searchEmployees exposes the employee directory as a discoverable dataset rather than using it solely for background name resolution. In the context of a calendar/task skill, this expands the attack surface for employee enumeration, targeted phishing, and unauthorized contact discovery.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code hard-codes a specific user ID and ensures that person is always included as an attendee, regardless of user intent. In a calendar management skill, this creates unauthorized data disclosure because that user can be silently added to meetings and gain access to titles, timing, participants, and related meeting metadata.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The wrapper exposes Lark IM capabilities (`replyMessage` and `sendMessage`) even though the skill is described as only handling calendar events, tasks, and employee lookup. This expands the skill's effective authority into chat operations, enabling unsolicited messaging or data exfiltration through Lark conversations if another component invokes these helpers.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Including chat messaging functions in a calendar/task skill creates a scope mismatch between declared behavior and implemented capability. In agent environments, hidden or unnecessary communication primitives are dangerous because they can be repurposed to send sensitive data, spam users, or perform social-engineering actions under the app's identity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents direct delete operations for calendar events and tasks without any confirmation, authorization, or rollback guidance. In a real agent workflow, this increases the risk of accidental or socially engineered destructive actions that can remove meetings or tasks affecting multiple users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes an employee directory with names, roles, and user IDs and supports modifying attendees and task members, but does not warn about privacy, consent, or authorization boundaries. This can normalize querying internal identity data and changing other users' calendar/task state without adequate user awareness.

Missing User Warnings

High
Confidence
88% confidence
Finding
This function performs an irreversible remote deletion of calendar events and defaults to notifying attendees, yet there is no safeguard in this code such as confirmation, authorization validation, or a dry-run/check step. In an agent context, ambiguous prompts, prompt injection, or mistaken event IDs could cause unauthorized or accidental deletion of meetings, disrupting schedules and notifying participants of destructive changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
These functions modify other users' event participation and always request notifications, but they include no confirmation, policy enforcement, or disclosure of side effects. In an agent setting, this can be abused or triggered accidentally to spam users, alter attendance records, or create social-engineering confusion by silently changing who is invited to meetings.

Exfiltration Commands

High
Category
Prompt Injection
Content
}

/**
 * Send message to a chat
 * @param {string} receiveId - Chat ID or user ID
 * @param {string} receiveIdType - 'chat_id' | 'user_id' | 'open_id'
 * @param {object} content - Message content
Confidence
94% confidence
Finding
Send message to

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
lib/lark-api.mjs:15