Back to skill

Security audit

feishu-doc-sender

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Feishu/Lark document-sending helper, with ordinary file-sharing privacy risks but no evidence of hidden or malicious behavior.

Install only if you want the agent to locate workspace documents and help send them through Feishu/Lark. Before approving any send, check the exact file list, recipient or group, file sensitivity, embedded metadata/comments/tracked changes, and which Feishu/Lark account or integration will be used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation language is broad enough that the skill could trigger on many generic 'send document' requests, while also advertising automatic scanning of the workspace. In an agent setting, over-broad activation can cause unintended file discovery and accidental exfiltration of sensitive documents to Feishu recipients if the wrong skill is selected or user intent is ambiguous.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "把文件发给" is broad enough to match generic file-sharing requests rather than only Word/PDF document delivery. In this skill’s context, broad activation can cause the agent to invoke document-sending behavior unexpectedly, increasing the chance of misrouting files or sending sensitive documents when the user intended a different action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.