Back to skill

Security audit

Smart Message Plus

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed enterprise messaging CLI that stores local configuration and sends user-directed messages through DingTalk or Feishu.

Install only if you are comfortable giving this skill access to DingTalk or Feishu enterprise app credentials and allowing it to send, recall, broadcast, and create/list groups under those app permissions. Keep the data directory private, review stored logs periodically, and use dry-run plus the safety gate for large sends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises substantial capabilities including environment-variable access, file read/write, shell execution, and outbound network communication, but does not declare permissions or constraints for them. In a messaging skill that stores credentials, reads local files for attachments, and sends data to external platforms, this lack of explicit permission scoping reduces transparency and can enable unintended data access or exfiltration if the skill is invoked in a broader agent environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The description understates the operational scope of the skill by focusing on message sending while the documented behavior also includes group creation, group enumeration, and persistent send/audit logging. This mismatch is security-relevant because users and orchestrators may grant or invoke the skill under the assumption of narrower functionality, while the actual feature set can modify communication topology, reveal group metadata, and retain sensitive messaging records.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes group creation and group enumeration features (`--create-group`, `--list-groups`) that go beyond the stated manifest scope of sending messages. In an agent setting, this scope expansion increases the blast radius of misuse: a user or prompt-injected workflow intended only to send a message could instead create new groups, enumerate organizational groups, or persist aliases, enabling unintended organizational changes and information disclosure.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This code persists long-lived application credentials to local storage via accounts.json and marks them as secret, but the file shows no encryption, access-control enforcement, or explicit user disclosure about sensitive-at-rest storage. In a messaging skill that manages enterprise DingTalk/Feishu accounts, compromise of local config storage could expose app secrets and enable unauthorized API use across organizational messaging environments.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The token cache writes authentication tokens to token_cache.json for later reuse, again relying on secret=True without visible guarantees of encryption or strict filesystem protections. Cached bearer tokens can often be replayed directly, so theft of the cache may allow unauthorized message sending or account actions until expiry, which is meaningful in an enterprise messaging context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persistently records message metadata and a truncated content preview to a local JSONL log without any indication of access controls, minimization, retention policy beyond line count, or user disclosure/consent handling in this component. In a messaging skill, even short previews, recipient identifiers, account names, and chat IDs can expose sensitive business communications and create a privacy/security issue if the local filesystem is accessible to other users, backup systems, or malware.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The broadcast audit log stores message previews plus a sample of targets for large sends, which can reveal sensitive announcement content and recipient relationships. Because this skill is specifically designed for enterprise DingTalk/Feishu messaging, logging broadcast targets and previews increases the risk of internal data leakage, especially on shared hosts or endpoints with centralized log collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.