Security audit

Feishu Identity Routing

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Feishu identity-routing purpose, but it persists sensitive cross-app identity mappings and has under-scoped controls around who can merge or review them.

Install only if you intentionally want a shared Feishu identity database. Restrict edit access to the identity files, verify submitted records before relying on them for outbound messages, define retention/deletion rules for personal data, and confirm that any workspace bin script invoked by the batch helper is the reviewed merge script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow explicitly instructs storing and merging personal data fields such as union_id, user_id, open_id, name, phone, and aliases into a canonical identity master, but it provides no privacy notice, data minimization guidance, access controls, retention limits, or consent considerations. In a multi-agent routing context, centralizing cross-app identity linkage increases the sensitivity of the dataset and raises the risk of unauthorized correlation, privacy violations, and broader impact if the master record is exposed or misused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal