Back to skill

Security audit

Message Tracker Plugin

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Feishu webhook notification helper, but users should treat forwarded message content and webhook secrets carefully.

Install only if sending the selected tracked messages to the configured Feishu channel is acceptable for your organization. Use an approved webhook destination, avoid forwarding confidential or regulated content unless authorized, and keep the webhook URL and signing secret in a secure secret store rather than source code or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes tracking messages and pushing them to a Feishu channel, but it does not clearly warn users that message contents will be transmitted to an external webhook. This creates a real data-handling transparency issue: operators may enable the plugin without realizing potentially sensitive tracked content leaves the local system and is sent to a third-party endpoint.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.