Back to skill

Security audit

飞书任务智能体

Security checks across malware telemetry and agentic risk

Overview

This Feishu task skill mostly matches its stated purpose, but it can install ongoing automations and change future agent routing and scheduler behavior, so it should be reviewed before use.

Install only if you intentionally want this skill to manage Feishu tasks and recurring automation. Before enabling it, review the cron jobs it creates or updates, the AGENTS.md routing changes, and the Feishu profile update behavior; use a test workspace first and require explicit approval for recurring jobs and scheduler changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises routing behavior only, but static analysis detected file read/write and environment access without any declared permissions. Undeclared capabilities weaken reviewability and can enable unexpected access to local data or persistence, especially in a task-oriented skill that may process user-driven inputs and generate files like daily.json.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description does not fully match the observed behavior: the skill appears to access local configuration or environment data to resolve app_id, but this resource access is not disclosed. Description-behavior mismatch is dangerous because reviewers and users may trust the declared purpose while the skill performs additional sensitive operations, making hidden data access harder to detect and govern.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The workflow expands from Feishu task processing into scheduler administration by enumerating all cronjobs and mutating cron payloads. That is a scope increase with control-plane impact: if the agent can rewrite cron messages, a malformed match or prompt-induced misselection could redirect future executions, interfere with unrelated jobs, or persist unintended behavior beyond the current task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Listing all cronjobs is broader than necessary to update the next task ID for one repeat task. Broad enumeration exposes unrelated scheduler metadata and increases the chance the agent selects or modifies the wrong job, especially in multi-tenant or shared operational environments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The registration workflow edits the agent's global AGENTS.md to inject persistent routing rules that force future inputs through feishu-task-agent. That exceeds a narrow 'register/init' scope and creates a durable behavior change affecting unrelated future interactions, which is a form of policy/configuration injection rather than simple initialization.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file claims registration can only be triggered by exact user phrasing and forbids indirect invocation, but later instructs persistent AGENTS.md changes that can automatically steer future requests into feishu-task-agent. This contradiction is dangerous because it bypasses the stated trigger restrictions after registration, enabling broader automatic control over routing than the user may have intended.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation with no visible trigger constraints, exclusions, or narrowing conditions in the manifest. Because this skill can create tasks, process unfinished tasks, perform registration/initialization actions, and generate daily.json summaries, broad auto-routing raises the risk of unintended activation and execution on ambiguous user input, potentially causing unauthorized task creation or workflow side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example instructs creation of recurring scheduled actions with hidden processing directives and automatic announcement behavior, but does not require an explicit user-facing confirmation or warning that persistent automation will be created and may continue changing task state over time. In an agent skill, this is dangerous because examples often become implementation guidance, increasing the chance that operators silently create durable automations the user did not fully understand or intend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow directs the agent to rewrite scheduler configuration through a shell command without any explicit warning, approval gate, or safety checks. Because scheduler state is persistent and affects future automated executions, silent mutation can create hard-to-detect operational changes, accidental task hijacking, or durable misconfiguration.

Ssd 3

High
Confidence
94% confidence
Finding
The scheduled-task rule embeds a hidden message directing future executions to generate output from broad Feishu context including messages, tasks, and calendar data. This encourages over-collection and use of unrelated user/workspace data without clear scoping, minimization, or user-visible consent, increasing the risk of sensitive information leakage into generated reports or downstream comments/artifacts.

Ssd 3

Medium
Confidence
92% confidence
Finding
The scheduled task message explicitly tells the system to generate output using broad context from Feishu messages, tasks, and calendars, and the hidden directive further embeds internal workflow instructions into the scheduled content. This creates an ongoing data-minimization and privacy risk because future executions may pull more user or organizational context than necessary, and the hidden nature of the instruction reduces transparency and informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.