Feishu Meeting Reminder

Security checks across malware telemetry and agentic risk

Overview

This Feishu meeting skill is not malicious, but it should be reviewed because it can create, change, delete, and notify calendar meetings without clear confirmation requirements.

Install only if you want the agent to manage Feishu calendar meetings, not just remind you about them. Require the agent to ask before creating, editing, deleting, adding attendees, creating video meetings, or sending notifications, and keep notifications off unless you explicitly request them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are broad and ambiguous, so ordinary mentions of meeting-related terms may invoke the skill without clear user intent to create, modify, or notify attendees. In a calendar/notification skill, accidental activation can cause unintended scheduling actions, reminders, or participant notifications, creating user-impacting side effects rather than mere harmless retrieval.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents create, patch, delete, and attendee notification capabilities without warning about their user-visible effects or requiring explicit confirmation. Because these actions can alter calendars and send notifications to other people, omission of impact warnings increases the chance of unauthorized or accidental changes affecting both the requester and third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal