Official Feishu Toolkit

Security checks across malware telemetry and agentic risk

Overview

This Feishu toolkit appears to do what it says, but it gives an agent powerful live access to workplace data and actions with weak guardrails and an unsafe remote installer option.

Install only after reviewing the permissions in your Feishu tenant. Prefer the `claw skill install` path over the `curl | sh` command, use a dedicated low-privilege Feishu app with only needed scopes, keep `FEISHU_APP_SECRET` out of chats/repos/logs, bind the local server to localhost, and require human confirmation before sending messages, changing approvals, deleting calendar events, or editing records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation for the transfer-approval endpoint is internally inconsistent: it labels the action as transfer, but the parameters and example actually describe the cancel endpoint. In an approval system, this kind of mismatch can cause an agent or operator to invoke the wrong state-changing action, leading to unintended cancellation or misrouting of approval tasks.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation for the destructive DELETE endpoint is internally inconsistent: under '删除日程' it includes request parameters for adding attendees, not deletion. This can mislead an agent or developer into sending unintended data or calling the wrong operation in a destructive workflow, increasing the chance of accidental modification or deletion of calendar resources.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The README promotes actions with significant side effects—sending messages, operating approvals, exporting attendance data, and modifying tables—without warning about privacy, authorization boundaries, confirmation requirements, or audit implications. In an agent skill context, this increases the risk that users or downstream agents invoke sensitive operations casually and expose employee data or trigger business actions unintentionally.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill advertises high-impact actions such as sending messages, launching approvals, modifying calendars, and editing organizational records without any visible warning or confirmation requirement. In an agent context, this increases the risk of accidental or socially engineered actions that could affect many users or alter business data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents destructive or irreversible workflow actions such as approve, reject, transfer, and cancel without any guidance for user confirmation, scope checks, or authorization verification. In an agent context, that increases the risk of accidental or prompt-induced approval actions being executed against real business workflows with material operational impact.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation exposes functionality for querying employee attendance records, remedial punch records, and attendance group configuration including physical location details, but it does not include any warning, minimization guidance, or privacy-handling constraints. Because this data is highly sensitive HR and location-related information, omission of privacy safeguards can encourage over-collection, broad access, or improper downstream disclosure by integrators.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document exposes write-capable endpoints for creating and updating Bitable records without any warning that these operations modify persistent user data. In an agent-skill context, that omission can cause unintended data creation or alteration because an agent may treat these examples as routine actions rather than state-changing operations requiring explicit user confirmation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents a destructive delete-calendar-event capability without warning about irreversibility, confirmation requirements, or safe-use constraints. In an agent setting, this lowers friction for unsafe automation and can lead to accidental deletion of legitimate meetings, reservations, and related business records.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation describes broad directory-query capabilities that expose employee personal data such as names, emails, phone numbers, and reporting structure, but it does not warn that these are sensitive data elements requiring minimization and access controls. In an agent skill context, this omission increases the chance that an agent will retrieve and disclose employee PII more broadly than users expect.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly states that user search is performed with a tenant-wide access token and does not require user authorization, enabling organization-wide directory lookup without per-user consent. In this context, that makes bulk discovery and enumeration of employee identities and org data significantly more dangerous, especially when exposed through an agent that may act on natural-language prompts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation exposes message-sending and reply capabilities that can transmit data to users or group chats, but it does not warn about recipient verification, privacy risks, or the possibility of sending sensitive content to the wrong chat or external participants. In an office-suite integration, this omission increases the chance of misuse, accidental disclosure, and unsafe automation behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The endpoints for approving, rejecting, transferring, and cancelling approvals directly perform workflow-changing actions with no server-side confirmation, secondary verification, or other safety interlock. In an agent skill context, this is risky because an LLM, prompt injection, or accidental user phrasing could trigger irreversible business actions on real approval workflows.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: These endpoints directly send user-supplied message content to Feishu outbound messaging APIs without any visible confirmation, authorization boundary, rate limiting, or disclosure mechanism in this file. In an agent/tool context, this can enable unintended external communications, spam, social-engineering messages, or data exfiltration if an upstream prompt or caller can control the parameters.

External Transmission

Medium

Category: Data Exfiltration
Content: **发送文本消息：** ```bash curl -X POST http://127.0.0.1:8002/messaging/send \ -H "Content-Type: application/json" \ -d '{ "receive_id": "ou_xxx",
Confidence: 84% confidence
Finding: curl -X POST http://127.0.0.1:8002/messaging/send \ -H "Content-Type: application/json" \ -d '{ "receive_id": "ou_xxx", "receive_id_type": "open_id", "msg_type": "text", "content":

External Transmission

Medium

Category: Data Exfiltration
Content: **请求示例：** ```bash curl -X POST http://127.0.0.1:8002/messaging/reply \ -H "Content-Type: application/json" \ -d '{ "message_id": "om_xxx",
Confidence: 79% confidence
Finding: curl -X POST http://127.0.0.1:8002/messaging/reply \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal