Feishu Reaction

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because it can automatically change Feishu message reactions using local app credentials and a shell script with weak input controls.

Install only if you are comfortable letting the skill use your configured Feishu app credentials to add or remove visible reactions. Prefer limiting Feishu app permissions to reaction-only use, disabling or tightly scoping proactive reactions, and validating emoji values before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes a shell script but does not declare any permissions, which weakens the platform's ability to inform users and enforce least privilege. In this context, shell execution can access local files, invoke networked tools, and use configured credentials indirectly, so the undeclared capability materially expands risk beyond a simple reaction feature.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior frames the skill as adding reactions, but its implementation also reads local Feishu credentials and exchanges them for an access token. That hidden authentication behavior is security-relevant because it handles secrets and can enable broader API access than users may expect from the description, especially when combined with shell execution.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger language is broad enough that the skill may activate in many conversational situations, including cases where the user did not clearly request an action. Because the skill can perform external side effects on messages, overbroad invocation increases the chance of unwanted reactions, accidental automation, and misuse of authenticated Feishu actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports proactive reactions to incoming messages based on sentiment, but the description does not prominently warn that it may act automatically on user content. Autonomous behavior against live messages can create privacy, consent, and trust issues, and in sensitive channels even benign reactions may be inappropriate or harmful.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal