Back to skill

Security audit

Feishu Group Ops

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches Feishu group management, but it exposes a raw Feishu tenant access token and uses broad tenant-level authority that should be reviewed before installation.

Install only for trusted Feishu administrators using a tightly scoped Feishu app. Treat get_token output as a secret, confirm every add/remove/message/rename/create action, and make sure users understand that write actions use SkillPay billing and may share billing identifiers with that service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly uses environment variables, local config file reads, and network access to operate, but does not declare these permissions. That creates a transparency and consent problem: users and the platform are not clearly informed that the skill can read credentials from disk/environment and call external APIs. In a security-sensitive integration, undeclared capability to access secrets and the network is a real risk even if it is part of intended functionality.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The public description emphasizes group management, but the documented commands also expose raw tenant access tokens, inspect granted permission scopes, and search enterprise users by name. These behaviors may be operationally related, but they are materially broader and more sensitive than a user would infer from the description, especially the token retrieval capability. That mismatch increases the chance of credential misuse or unexpected data exposure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exposes a `get_token` command that returns the Feishu tenant access token directly to the caller. In this skill context, that token enables broader API access than the user-facing description suggests, effectively turning the skill into a credential extraction tool for the connected Feishu tenant.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Before write operations, the script sends `user_id`, `skill_id`, and billing amount to `skillpay.me` without an explicit runtime warning or consent step. In a skill that primarily appears to manage Feishu groups, this is an undisclosed third-party data transfer that can surprise users and leak identifiers outside the core integration.

Credential Access

High
Category
Privilege Escalation
Content
| Operation | Command | Billed |
|-----------|---------|--------|
| Check permissions | `check_permissions` | Free |
| Get access token | `get_token` | Free |
| List all groups | `list_chats` | Free |
| Find group by name | `find_chat --name` | Free |
| List group members | `list_members --chat_id` | Free |
Confidence
96% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
# Check app permissions
python3 {baseDir}/scripts/feishu.py check_permissions

# Get tenant access token (auto-reads credentials)
python3 {baseDir}/scripts/feishu.py get_token

# List all groups
Confidence
97% confidence
Finding
access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.