Feishu Writing Bundle

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Feishu document-writing helper, but it gives an agent broad live access to create, edit, read, and share workspace documents without enough built-in confirmation safeguards.

Install only if you want an agent to create and edit Feishu documents for you. Use narrow OAuth/tool permissions where possible, avoid broad full-profile access unless necessary, specify the exact document or destination, and require a preview plus explicit confirmation before edits, deletion, overwrite, replace-all, or publishing content from chats and files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill is described broadly enough to match many generic writing or editing requests, which can cause over-invocation in situations where the user did not explicitly ask to operate on Feishu. Because this skill is designed to create/update documents and return links, accidental routing can lead to unintended document creation, modification, or disclosure of collaboration URLs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Although the body later explains that Feishu docs are the deliverable, the skill description does not upfront warn that invoking the skill may create or modify Feishu documents and return/share document links. This reduces informed consent and increases the chance that users or routing systems invoke the skill without realizing it performs external state-changing actions and may expose document URLs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This guidance directs the agent to read chat files and message links and use them to generate Feishu documents, but it provides no guardrails for consent, data minimization, or sensitive-content screening. In an agent setting, that omission can lead to copying private group content, credentials, internal URLs, or personal data into a newly created document and sharing it more broadly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The worked example operationalizes a risky flow: search group files, download them locally, read contents, and publish a synthesized document, all without any mention of sensitivity review or access controls. Because examples strongly shape agent behavior, this makes inadvertent data leakage more likely, especially when group-shared files contain confidential or regulated information.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The rule treats very common user phrases like '写个文档' or '帮我写飞书文档' as an automatic trigger to create or update an external Feishu document and return a live link. That broad default can cause the agent to take externally state-changing actions without sufficiently confirming destination, scope, or user intent, increasing the risk of unintended document creation or modification.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The instructions normalize creating or updating user-accessible Feishu content and returning links as the default completion behavior, but they do not require an explicit user-facing notice that the agent will modify external content. In a multi-tenant, permission-sensitive environment, this can lead to surprising writes, accidental publication in the wrong space, or users not realizing the operation has side effects beyond chat.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow directs the agent to create a Feishu document and return its link, but it does not require an explicit warning or confirmation that a write operation will occur in the user's workspace. In an agent setting, undocumented write behavior can surprise users and cause unintended data creation or disclosure through generated document links.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Workflow B explicitly performs incremental updates to an existing document in place, yet it does not require a warning, confirmation, backup, or dry-run before modifying user content. In-place edits are more dangerous than new-document creation because they can irreversibly alter authoritative material, damage existing structure, or overwrite sensitive content based on misunderstood instructions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Workflow C permits either creating a new document or updating an existing one without disclosing which write path will be taken or obtaining consent for that behavior. This ambiguity increases the chance of unintended modification of existing documents, especially in a skill specifically designed to transform drafts into more formal deliverables.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal