Feishu File Send

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for sending user-selected workspace files to Feishu, with expected external-sharing risk but no hidden code or deceptive behavior found.

Install only if you want the agent to send selected files from the workspace through Feishu. Before each send, verify the file path, contents, caption, and recipient or channel, and avoid sending sensitive files unless you are comfortable sharing them externally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill’s stated purpose is sending files to Feishu, but it also documents invoking Python via subprocess to generate a file. That broadens the operational scope from simple transmission to local code execution guidance, which can normalize unsafe agent behavior and create opportunities to generate or manipulate files before exfiltration.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill enables external transmission of arbitrary files to Feishu but does not warn that this may disclose sensitive local data to a third-party service. In an agent setting, omission of an explicit exfiltration warning increases the risk that users or downstream systems treat outbound file sending as routine and safe.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal