Security audit

feishu file transfer guide

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Feishu file-transfer guide, but its sample code disables HTTPS certificate checks while handling app secrets, tokens, and uploaded files.

Review before using. Do not run the Python examples as written unless HTTPS certificate verification is restored. Use least-privilege Feishu credentials, store secrets outside source code, avoid logging tokens, and confirm the selected file and recipient before uploading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill provides a workflow for uploading arbitrary local files to an external Feishu service and sending them to a recipient, but it does not require confirmation of file path, recipient identity, or user consent before transmission. In an agent context, this increases the risk of unintended data exfiltration, misdelivery of sensitive files, or privacy breaches if the skill is invoked with the wrong inputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal