Feishu Docs

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu document-management tool, but it needs review because its default update mode can erase existing document content without a separate confirmation step.

Install only if you are comfortable giving the skill Feishu document read/write/delete authority. Use a least-privilege Feishu app, keep FEISHU_APP_SECRET private and out of version control, verify document and folder tokens carefully, prefer --append when possible, and export or back up important documents before using overwrite update or delete operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (8)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to place `FEISHU_APP_SECRET` in a local `.env` file but does not warn them to keep that file out of version control or otherwise protect the secret. In a developer-facing CLI skill, this omission can realistically lead to accidental secret exposure through git commits, shared screenshots, logs, or copied setup snippets, enabling unauthorized API access to Feishu tenant resources.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill instructs users to place FEISHU_APP_ID and FEISHU_APP_SECRET in a .env file but does not warn about protecting that file from source control, logs, or accidental sharing. This can lead to credential exposure, which would allow unauthorized access to Feishu tenant APIs with document read/write/delete capabilities.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool prints full document contents to stdout and optionally writes them to arbitrary local files with no masking, redaction, or privacy warning. In an agent/CLI context, stdout is often captured by logs, chat transcripts, or orchestration systems, so reading a sensitive Feishu document can unintentionally exfiltrate private data beyond the intended destination.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code uploads a local file directly into a remote Feishu workspace, which is a data-transfer boundary crossing. In an agent skill, users may provide local paths assuming local-only processing; without a clear warning or confirmation, sensitive local files could be unintentionally transmitted to a third-party cloud service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The update flow deletes existing top-level document blocks before adding replacement content when --append is not set. If the replacement operation fails mid-process, the document may be partially or fully destroyed, creating a data-loss risk amplified by agent automation where destructive actions may occur without close human review.

Unpinned Dependencies

Low

Category: Supply Chain
Content: }, "private": true, "dependencies": { "@larksuiteoapi/node-sdk": "^1.58.0", "commander": "^14.0.3", "dotenv": "^17.2.4" }
Confidence: 88% confidence
Finding: "@larksuiteoapi/node-sdk": "^1.58.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "private": true, "dependencies": { "@larksuiteoapi/node-sdk": "^1.58.0", "commander": "^14.0.3", "dotenv": "^17.2.4" } }
Confidence: 88% confidence
Finding: "commander": "^14.0.3"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "dependencies": { "@larksuiteoapi/node-sdk": "^1.58.0", "commander": "^14.0.3", "dotenv": "^17.2.4" } }
Confidence: 88% confidence
Finding: "dotenv": "^17.2.4"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal