Security audit

飞书+Agent企业方案

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it broadly activates an agent for Feishu/Lark enterprise automation that can change shared documents, tables, wikis, calendars, and tasks without clear limits or confirmation rules.

Install only if you intend to connect an agent to Feishu/Lark enterprise resources. Use least-privilege app permissions, restrict it to named workspaces and resources, keep read-only behavior by default where possible, and require explicit confirmation before creating, updating, deleting, scheduling, or assigning anything.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are broad business terms like '企业知识库' and '飞书自动化', which are likely to appear in ordinary user requests unrelated to intentionally invoking this skill. That can cause accidental activation and route users into workflows that can search, create, or modify enterprise documents and collaboration assets without clear user intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill advertises capabilities including document read/write, bitable CRUD, wiki creation, calendar scheduling, and task assignment, but provides no warning that these actions can change shared enterprise state. In an enterprise workspace, omission of modification warnings increases the risk of users unintentionally authorizing impactful actions affecting documents, schedules, and team workflows.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very broad terms such as "lark" and "飞书企业", which can match many unrelated user requests and cause the skill to activate outside its intended scope. In an enterprise automation and knowledge-base context, unintended invocation can expose users to actions or data flows they did not mean to trigger, increasing the chance of privacy, workflow, or authorization mistakes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal