Yq Feishu Webhook Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a Feishu/Lark messaging helper, but its broad activation terms and weak disclosure could cause unintended messages or uploads to a third-party service.

Install only if you intentionally want an agent to send content to Feishu/Lark. Use a narrowly scoped webhook/token, avoid secrets or personal data in messages and images, and require explicit confirmation before any outbound send or upload.

SkillSpector (2)

By NVIDIA

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is overly broad for a network-capable skill and includes common terms such as '消息', '通知', and '群消息', which can cause the skill to activate in ordinary conversations unrelated to Feishu webhook delivery. In context, unintended invocation is more dangerous because the skill is designed to send outbound messages to an external webhook, increasing the chance of accidental data disclosure or unintended message posting.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send content to a Feishu webhook and upload images using a tenant access token, but it does not clearly warn that user-provided content will be transmitted to an external third-party service. This omission can mislead users about data flow and consent, and in this context it is more dangerous because the skill supports rich content, images, and notifications that may contain sensitive information.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal