Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The skill explicitly supports uploading from arbitrary remote URLs and local file paths, which expands it beyond simple Feishu document editing into network fetching and local filesystem access. In an agent setting, this can enable unintended exfiltration of local files or transmission of sensitive content into Feishu if a user prompt or downstream instruction causes the tool to read from local paths or fetch attacker-controlled URLs.
