Back to skill

Security audit

Lark Mention

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps send real Feishu/Lark group @ mentions through a local bridge, including broad notifications.

Install this only if you want the agent to send real Feishu/Lark group messages. Verify the chat ID, recipients, and message text before each send, especially for @all or multi-person mentions, and use only a trusted local bridge service with appropriate access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README explicitly supports sending real @ mentions, including @all, into actual Feishu group chats but does not warn users about the risk of notifying large groups or accidentally messaging production chats. While this is expected functionality rather than covert exfiltration, the lack of safety guidance increases the chance of misuse, spam, or operational disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can send messages with real @ mentions to specific users or potentially all members in a group, but the description does not warn users about this notification-spamming capability. Missing this disclosure increases the risk of accidental misuse, unsolicited mass notifications, or social-engineering abuse through the agent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.