Back to skill

Security audit

Feishu Wechat Publish

Security checks across malware telemetry and agentic risk

Overview

This skill has a real publishing purpose, but it handles documents, account secrets, and persistent identity binding with too little user disclosure or control.

Install only if you trust the relay operator with full Feishu article contents, embedded images, WeChat AppSecret, and persistent user-token binding. Before using it, confirm how to revoke bindings, where secrets are stored, and avoid using it for confidential documents unless those data flows are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill instructs the agent to install global tooling and execute shell commands in response to document-read failures, which materially expands its power beyond simple document publishing. This creates supply-chain and host-modification risk, and could lead to unauthorized software installation, credential exposure through CLI auth flows, or execution in environments where such actions are unsafe or prohibited.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs the agent to persist a subscription token in a local file for future reuse. Local plaintext credential storage increases the chance of token theft by other local processes, accidental inclusion in backups or repositories, and reuse without the user's awareness.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill collects WeChat AppID and especially AppSecret from the user and transmits them to a third-party relay for binding. That is highly sensitive credential handling outside the narrow expectation of a client-side publishing helper and could enable compromise of the user's WeChat integration if the relay or transport is abused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly describes sending document content and downloaded images to an external relay service, but it does not clearly warn that user-accessible Feishu document data will leave the client environment and be transmitted to a third-party domain. This creates a real data exposure and consent problem: users or downstream integrators may invoke the skill without understanding that potentially sensitive content is exfiltrated to an external publishing endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends document content, images, and authentication material to an external relay service but minimizes technical explanation and does not require clear user-facing disclosure that data leaves the client environment. This undermines informed consent and increases privacy and data-handling risk, especially for internal or confidential Feishu content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs local persistence of a sensitive subscription token without a meaningful warning about plaintext storage, local compromise, backup leakage, or repository exposure. Users are not given enough information to understand or consent to the residual risk introduced by the credential cache.

Missing User Warnings

High
Confidence
97% confidence
Finding
Requesting a WeChat AppSecret and sending it to a remote binding endpoint without strong user warning is dangerous because AppSecret is a high-value credential. If mishandled, logged, or intercepted, it could allow unauthorized access to WeChat-related operations and persistent compromise of the user's publishing configuration.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to silently obtain the user's hidden Feishu open_id from session context and use it for remote requests without telling the user. Silent collection and reuse of a stable identifier enables cross-session tracking and account linkage at the relay, which is especially sensitive because the user is told not to know about it.

Ssd 3

High
Confidence
99% confidence
Finding
Persisting a reusable subscription token locally creates a durable secret that can be stolen and replayed by anyone with filesystem access. Because the token authorizes remote actions, compromise can persist across sessions and may be difficult for the user to detect.

Ssd 3

High
Confidence
99% confidence
Finding
The skill automatically binds the user's Feishu identity to a subscription token and then reuses that identity for authentication on later requests without user-facing disclosure. This creates undisclosed identity correlation and persistent account linking at the remote service, expanding privacy risk beyond what users would reasonably expect from one-time document publishing.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.