Credential Access
High
- Category
- Privilege Escalation
- Content
- node - npx config: - ~/.mcporter/credentials.json install: - kind: node package: "@lark-project/meego-mcporter"- Confidence
- 70% confidence
- Finding
- credentials.json
Feishu Project(Meego) Connector
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed Feishu Project/Meego MCP connector that uses OAuth credentials for its stated purpose, with explicit user confirmation steps for credential handling.
Before installing, confirm you trust the npm package and the Feishu Project account permissions you grant. Prefer the browser OAuth flow when possible, and use the remote credential-copy flow only if you are comfortable giving the agent a user-approved credential file to write into ~/.mcporter/credentials.json.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)
Credential Access
High
- Category
- Privilege Escalation
- Content
## 凭证管理说明 本技能使用 `~/.mcporter/credentials.json` 存储 OAuth 凭证(由 mcporter 管理)。 - **方式一(推荐)**:浏览器 OAuth——mcporter 自动完成授权并写入凭证,agent 无需接触凭证内容。 - **方式二(远程服务器)**:当服务器没有浏览器时,需要用户在本地电脑完成 OAuth 后将凭证同步到服务器。此流程中 agent 会协助展示 OAuth 客户端配置(不含 token)以及写入用户提供的已授权凭证,所有操作均需用户逐步确认。
- Confidence
- 70% confidence
- Finding
- credentials.json
Credential Access
High
- Category
- Privilege Escalation
- Content
**步骤 A — 向用户展示 OAuth 客户端配置(需用户确认):** 读取 `~/.mcporter/credentials.json` 的内容(此时仅包含 OAuth 客户端参数,不含 token),向用户展示并告知: > 以下是 OAuth 客户端配置,请参考文档 https://project.feishu.cn/b/helpcenter/1ykiuvvj/1n3ae9b4 在本地电脑中完成授权,授权完成后请将生成的凭证文件提供给我。
- Confidence
- 70% confidence
- Finding
- credentials.json
Credential Access
High
- Category
- Privilege Escalation
- Content
**步骤 B — 接收用户提供的已授权凭证(需用户确认):** 用户在本地完成 OAuth 后会提供已授权的凭证文件。在得到用户确认后,将其写入 `~/.mcporter/credentials.json`。 写入完成后,立即清理操作过程中可能产生的任何中间临时文件。凭证内容仅存储在 `~/.mcporter/credentials.json`,不得保存到其他任何位置。
- Confidence
- 70% confidence
- Finding
- credentials.json
Credential Access
High
- Category
- Privilege Escalation
- Content
用户在本地完成 OAuth 后会提供已授权的凭证文件。在得到用户确认后,将其写入 `~/.mcporter/credentials.json`。 写入完成后,立即清理操作过程中可能产生的任何中间临时文件。凭证内容仅存储在 `~/.mcporter/credentials.json`,不得保存到其他任何位置。 #### 3.4. 验证授权结果
- Confidence
- 70% confidence
- Finding
- credentials.json
VirusTotal
64/64 vendors flagged this skill as clean.