Feishu Project(Meego) Connector - Bytedance Internal Version

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Meego/Feishu Project connector, but it deserves user review because its remote OAuth flow asks the agent to display and write OAuth credential files and the connector can modify business work items.

Install only if you are authorized to connect an agent to your organization's Meego/Feishu Project account. Prefer the browser OAuth flow where the agent does not see credential contents. For remote OAuth, do not paste or expose full credential files unless you have verified they contain only the intended fields, and review every work-item create, modify, or transition action before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Credential Access

High

Category: Privilege Escalation
Content: **步骤 A — 向用户展示 OAuth 客户端配置（需用户确认）：** 读取 `~/.mcporter/credentials.json` 的内容（此时仅包含 OAuth 客户端参数，不含 token），向用户展示并告知： > 以下是 OAuth 客户端配置，请参考文档 https://bytedance.larkoffice.com/wiki/UspfwpHaFi6LxQkt9xBcIS54nNg 在本地电脑中完成授权，授权完成后请将生成的凭证文件提供给我。
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: **步骤 B — 接收用户提供的已授权凭证（需用户确认）：** 用户在本地完成 OAuth 后会提供已授权的凭证文件。在得到用户确认后，将其写入 `~/.mcporter/credentials.json`。写入完成后，立即清理操作过程中可能产生的任何中间临时文件。凭证内容仅存储在 `~/.mcporter/credentials.json`，不得保存到其他任何位置。
Confidence: 96% confidence
Finding: credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal