Security audit

my-lark

Security checks across malware telemetry and agentic risk

Overview

This Feishu/Lark skill mostly matches its stated purpose, but it embeds an app secret and exposes broad business-data actions without enough scoping or credential safeguards.

Install only after reviewing the code and replacing the embedded app credentials with your own secure secret storage. Use least-privilege Feishu permissions, avoid production workspaces until write/delete actions are gated by explicit confirmation, and do not print or paste token files into terminals, logs, chats, or agent transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents and encourages use of powerful capabilities—shell execution, file reads/writes, network access, and environment interaction—yet declares no permissions boundary. In an agent setting, this removes an important consent and policy layer, making it easier for ordinary prompts to trigger sensitive local or external actions without clear user awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a Feishu integration guide, but it also exposes a generic `call` pathway that can invoke arbitrary MCP tools beyond the enumerated user-facing workflows. Combined with local token handling, this broadens the effective attack surface and can enable unintended operations not obvious from the high-level description.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The `call` CLI path exposes an unrestricted generic MCP invocation interface, allowing any available Feishu MCP tool to be executed beyond the guided helper operations described in the skill metadata. In an agent-skill context, this materially expands capabilities and can enable unreviewed actions or data access through tools the user did not expect this skill to expose.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: `feishu_api()` is a raw wrapper for arbitrary HTTP methods and paths against the Feishu Open API, creating a broad primitive that exceeds the narrow, guided operations implied by the skill description. Even if only helper functions currently use it, the function makes later extension or indirect misuse trivial, increasing the chance of unauthorized data access or modification.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are very broad and overlap with common natural requests like sending messages, searching documents, and checking calendars. In an agent environment, that increases the chance of accidental activation and unintended access to enterprise messaging, documents, or calendars when the user did not mean to invoke this skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation shows the credential file path and example secret-bearing JSON structure, and repeatedly instructs users to print the file contents for validation. In a shared or agent-controlled workspace, normalizing `cat /workspace/.lark_tokens.json` increases the risk of credential disclosure through logs, transcripts, screenshots, or prompt injection chains.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The file embeds a Feishu App ID and App Secret directly in source code. Hardcoded credentials are highly sensitive because anyone with code access can extract and reuse them to authenticate against the associated service, potentially leading to unauthorized API access, abuse of app privileges, and difficult secret rotation after disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: User access tokens are persisted to `/workspace/.lark_tokens.json` without any permission hardening, encryption, or user disclosure. Stored bearer tokens can be exfiltrated by other local processes, later sessions, or workspace leakage, enabling unauthorized access to Feishu data and actions under the user's identity.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation includes a concrete spreadsheet write example that modifies remote data but does not warn users that the command is state-changing or potentially destructive. In an agent skill intended for easy use by non-experts, this increases the chance of accidental overwrites, misuse of production spreadsheets, or unsafe autonomous execution by an AI following examples literally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide tells users to run `cat ~/.lark_tokens.json`, which prints the full credential file to the terminal and can expose secrets to shoulder-surfing, terminal logging, shell history capture, screen recordings, or support transcripts. In a quick-start document aimed at beginners, this normalizes unsafe secret-handling and increases the likelihood of accidental credential disclosure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example instructs users to place `app_id` and especially `app_secret` directly into a command payload without any warning about secure handling. Even though the request goes to the official Feishu endpoint, embedding secrets in ad hoc examples encourages copying credentials into shells, docs, chats, or recordings where they may be exposed and later abused to obtain access tokens.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The index advertises high-impact actions such as sending messages, deleting or moving files, modifying documents, creating calendar events, and submitting approvals, but provides no user-facing cautions, confirmation guidance, or risk notes. In an agent skill, this increases the chance that an LLM or end user will invoke destructive or privacy-impacting operations without understanding consequences, leading to accidental data loss, unauthorized disclosure, or unwanted actions across a tenant.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This section lists capabilities for searching knowledge bases, reading document content, listing collaborators, and accessing spreadsheet or record data, including several marked as requiring User Token, but it does not warn about privacy implications or the sensitivity of retrieved content. In a broadly capable enterprise skill, omission of privacy guidance can cause over-collection, unnecessary exposure of internal documents, and unsafe use of user-scoped tokens.

Credential Access

High

Category: Privilege Escalation
Content: | 凭证 | 有效期 | 获取方式 | 用途 | |------|-------|---------|------| | App Token（tenant_access_token）| 2小时，自动续期 | app_id + app_secret 自动换取 | 消息/日历/通讯录/审批/多维表格/云盘 | | User Access Token | 2小时 | OAuth 用户授权 | 知识库/云文档搜索和读取 | ### 权限申请自查表（按功能）
Confidence: 89% confidence
Finding: Access Token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal