Back to skill

Security audit

Send Doc To Feishu

Security checks across malware telemetry and agentic risk

Overview

This is a simple Feishu document-sharing workflow that is disclosed and purpose-aligned, though users should confirm recipients and files before sending.

Before installing, be aware that this skill can guide an agent to upload local documents to Feishu cloud storage and send links to users or groups. Confirm the exact file and recipient before any send action, especially because the trigger wording is broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases include very common expressions such as '发给我' and '发到飞书', which can easily appear in normal conversation without the user specifically intending to invoke this skill. That creates a risk of unintended activation and accidental transmission of local documents or links to Feishu recipients, especially because the skill handles file-sharing actions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.