Back to skill

Security audit

Send File

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can send local files or screenshots to Feishu with broad triggers and inferred recipients without a required confirmation step.

Install only if you explicitly want the agent to send files through Feishu. Use a dedicated low-permission Feishu app, avoid storing the app secret broadly, and require the agent to confirm the exact file path, file size, platform, and recipient before every send, especially for screenshots or vague requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs use of environment variables for credentials and network calls to external APIs, yet it declares no corresponding permissions. This weakens security review and user/operator awareness, because a skill that can exfiltrate local files over the network should transparently declare those capabilities.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Broad trigger phrases like '发送文件' or '发送xxx' can cause the skill to activate on ordinary conversational requests, including ambiguous ones. In a file-transmission skill, accidental activation is dangerous because it can initiate file discovery and outbound transfer of local or generated data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The guidance says the skill should execute when users say broad phrases like '发送xxx', without requiring strong disambiguation. This makes unintended invocation more likely, especially in chat contexts where 'send' may refer to text, links, or drafts rather than local files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs uploading files to external messaging platforms but does not prominently warn that local data will leave the system and be sent to a third party. Users may not realize that generated reports, local files, or screenshots will be transmitted off-device, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow allows automatic file selection by priority and recipient inference from the current chat context without a mandatory re-verification step. This materially increases the chance of sending the wrong file or sending a sensitive file to the wrong person or channel.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill is designed to send recently generated documents, local files, or screenshots to external services based on natural-language requests, but it lacks sensitivity checks. That creates a realistic path for exfiltrating confidential reports, personal files, API exports, or other sensitive artifacts through ordinary conversation.

Ssd 3

Medium
Confidence
97% confidence
Finding
Automatically inferring the current chat recipient and immediately executing a file-send path removes an important verification barrier. In practice, this can leak files to an unintended recipient if the conversation context is misdetected, stale, or misunderstood.

Ssd 3

Medium
Confidence
95% confidence
Finding
The screenshot workflow instructs the agent to capture the screen and send it externally on request, but screenshots often contain passwords, tokens, personal data, notifications, or unrelated sensitive windows. Without preview and confirmation, this creates a strong exfiltration risk.

External Transmission

Medium
Category
Data Exfiltration
Content
# 2. 上传文件
with open(file_path, 'rb') as f:
    upload_resp = requests.post(
        "https://open.feishu.cn/open-apis/im/v1/files",
        headers={"Authorization": f"Bearer {token}"},
        files={'file': (filename, f, mime_type)},
Confidence
94% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
file_key = upload_resp.json()["data"]["file_key"]

# 3. 发送文件消息
requests.post(
    "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id",
    headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
    json={
Confidence
93% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
file_key = upload_resp.json()["data"]["file_key"]

# 3. 发送文件消息
requests.post(
    "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id",
    headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
    json={
Confidence
93% confidence
Finding
requests.post( "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id", headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json=

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.