Feishu Meeting

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Feishu meeting purpose, but its script handles meeting details unsafely enough that crafted input could run unintended local code.

Review before installing. Use only with trusted meeting details until the script is patched to pass user input to Python as data rather than executable source. Configure a least-privilege Feishu app, and confirm topic, time, recurrence, and invitees before running because the skill creates attendee-visible calendar entries.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes shell and network-capable operations but does not declare corresponding permissions, creating a transparency and least-privilege problem. In an agent environment, undisclosed execution capabilities can cause the skill to make external API calls or run shell commands without users or platform policy having an explicit opportunity to review or restrict them.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal