Feishu Group Helper

Security checks across malware telemetry and agentic risk

Overview

This Feishu group helper is a disclosed group-management utility, but users should confirm targets before letting it send messages or update stored group records.

Install this only if you want the agent to manage Feishu group records and send messages through a Feishu bot. Before sending, verify the exact target group, chat ID when available, and message text, especially because group-name lookup can use fuzzy matching.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad and overlap with ordinary user language about group management or messaging, which can cause the skill to activate in contexts where the user did not intend to invoke it. Because this skill can send messages and alter persisted group state, accidental activation can lead to unintended external actions rather than a harmless response.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill performs operations with side effects, including writing group metadata to disk and sending messages to external Feishu groups, but it does not specify clear user consent, confirmation, or risk disclosure. In combination with the broad triggers, this raises the chance of unauthorized or mistaken actions affecting real chats and stored data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal