Security audit

mmxagent-skill-feishu

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use API client credentials for its stated integration purpose, but users should handle the client secret carefully.

Install only if you trust the service and need this integration. Provide client secrets through environment variables or an approved secret manager, avoid pasting them into chat, and rotate the secret if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to poll for and obtain `client_id` and `client_secret`, then continue workflow using those credentials, but it provides no guidance on secure handling, minimization, masking, storage lifetime, or user consent for secret processing. In an agent setting, this creates a real risk of unnecessary exposure in logs, memory, transcripts, or downstream tools, especially because the skill normalizes secret collection as part of routine execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal