Lark/Feishu Sheets & Cloud File Download (with PDF extraction)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Lark/Feishu integration for sheet editing, file download, and PDF extraction, with notable but purpose-aligned risks around credentials, cloud data changes, and runtime PDF dependencies.

Install only if you intend to let this skill use your local Feishu/Lark app credentials. Configure least-privilege app scopes, share only the intended sheets/files with the app, confirm target ranges before writes, and consider preinstalling reviewed PDF libraries instead of letting the script install packages at runtime.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _pip_install(*packages: str): """Install packages via pip if not already present.""" subprocess.run( [sys.executable, "-m", "pip", "install", *packages], check=True, capture_output=True,
Confidence: 98% confidence
Finding: subprocess.run( [sys.executable, "-m", "pip", "install", *packages], check=True, capture_output=True, )

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The Security & Privacy section claims the scripts only access the config file and target spreadsheet, but the same document states they read/write downloaded files, .txt outputs, image directories, and rendered page PNGs. Misstating the actual data access scope is dangerous because it can mislead operators into trusting the skill with broader filesystem access than disclosed.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The stated skill is for downloading Lark/Feishu cloud files, but the script goes further by automatically extracting text, extracting images, and rendering PDF pages. This materially increases the attack surface by feeding untrusted PDFs into multiple parsers and utilities, which is riskier than the declared purpose and can expose the host to parser vulnerabilities or unexpected data proliferation.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script auto-installs packages at runtime when imports fail, which grants the skill an unjustified ability to fetch and execute third-party code. In a security-sensitive agent context, this is dangerous because dependency resolution occurs dynamically and silently, enabling supply-chain compromise or environment tampering far beyond simple file download behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes generic terms like 'spreadsheet', 'download file', and 'cloud file', which can cause the skill to activate on ordinary user requests that did not intend to grant access to Feishu resources or local credential-backed actions. Overbroad invocation increases the chance of accidental credential use, unintended network calls, or unintended writes/downloads.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Silently installing packages via pip without user confirmation violates the principle of least surprise and can cause unexpected code execution and network access. In an agent skill, hidden environment mutation is especially dangerous because users may believe they are only downloading a file, not changing the Python environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script automatically transforms downloaded PDFs into text files, extracted image files, and rendered page images, even when the user primarily requested a download. This creates unannounced derivative artifacts containing potentially sensitive document contents, increasing data exposure, storage footprint, and the number of parsers invoked on untrusted input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal