feishu-im

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Feishu/Lark messaging and group-management API reference with powerful but purpose-aligned chat actions.

Install only for agents that should operate a Feishu/Lark bot with messaging and group-management authority. Configure the Feishu app with the narrowest permissions needed, and require explicit user approval for message recall, group creation, adding members, announcements, urgent/system messages, and chat UI configuration changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill requests broad IM permissions and enables actions that directly affect communications and group membership, but its description does not clearly warn users that it can send messages, recall messages, add members, and modify chat configuration. This increases the chance of unintended high-impact actions because users may invoke it without understanding the communication and data-governance consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal