Feishu Group Memory

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it handles sensitive Feishu group chat data and paid billing with weak consent, retention, and secret-handling safeguards.

Review before installing. Use only with Feishu groups you are authorized to process, assume extracted chat content may be stored locally, and require explicit confirmation before any billed analysis, advice, or summary. This version should remove and rotate the exposed SkillPay key and add clear privacy, retention, deletion, and billing-confirmation controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation directs the agent to read/write workspace files, access Feishu over the network, and potentially use environment-backed credentials, but the skill declares no permissions. This creates a transparency and consent problem: users and platform controls cannot accurately evaluate the skill's access scope before execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description understates or misframes important behavior: it includes explicit billing operations and relies on the model to perform core AI analysis that is not implemented in code. This mismatch can mislead users about what the skill actually does, when charges may occur, and which actions are automated versus model-mediated, increasing the risk of unexpected payment or unsafe use.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The advice trigger includes a broad everyday phrase ('give me some advice'), which can cause the skill to activate in contexts the user did not intend. In this skill, unintended activation is more sensitive because it can lead to retrieval of stored group history and a billable advice flow.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs fetching, analyzing, and storing group messages without an explicit privacy warning or consent step. Because group chats may contain personal, confidential, or third-party data, silent collection and persistence materially increase privacy, compliance, and unauthorized disclosure risks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The knowledge pack explicitly encourages extracting and structuring sensitive business and personal data from group chats, including customer intent, pricing, contracts, and decision-maker details, but it provides no privacy notice, minimization guidance, consent requirements, or retention limits. In a chat-ingestion skill, this omission increases the risk of collecting personal and commercially sensitive data in ways users may not expect, creating privacy, confidentiality, and compliance exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The file specifically instructs recording decision-maker names, titles, contact details, and preferences, which are personal data elements, yet provides no warning or safeguards for handling that information. Because this skill is designed to persist and query extracted chat content, the absence of consent, minimization, and access-control guidance makes misuse or overcollection more likely.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A live SkillPay API key is hardcoded directly in the source file, which makes secret exposure likely through source control, logs, packaging, or downstream distribution of the skill. Anyone who obtains this key may be able to impersonate the skill to charge users, query billing data, or generate payment links depending on API permissions.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code explicitly fetches raw Feishu group messages and returns them for downstream AI analysis, but there is no consent check, privacy notice, redaction step, or filtering of sensitive content. In a group-chat memory skill, this increases the chance of exposing personal data, confidential business discussions, or regulated content to later components or operators.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Structured records are appended to a persistent local JSONL file in the workspace without any retention policy, encryption, or user-facing indication that the data will be stored long-term. This can lead to unintentional persistence of sensitive project, customer, or legal information on disk where other local users, backups, or later processes may access it.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The template asks authors to provide 20–30 trigger keywords but does not require precision, disambiguation, negative examples, or activation boundaries. In a skill that extracts and stores group-chat information, overly broad keywords can cause excessive activation, unintended collection of unrelated conversations, and downstream privacy or billing risk through unnecessary analysis calls.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill is designed to persist analyzed message content and reuse it for later queries, summaries, and advice across sessions. That retention model increases the chance of sensitive chat data being exposed later to the wrong user, reused beyond the original purpose, or kept longer than necessary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal