Back to skill

Security audit

nanobot-feishu-send

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Feishu/Lark file-sending skill, but users should verify the recipient and file sensitivity before sending.

Before installing or using it, treat any media path as an upload to Feishu/Lark. Verify the chat_id or recipient, avoid sending secrets or personal data unless authorized, and prefer adding an explicit confirmation step for sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to send local files and optionally specify a Feishu chat identifier, but it provides no privacy or data-disclosure warning about transmitting local machine content to an external messaging platform. This can lead users or downstream agents to exfiltrate sensitive local files, internal documents, or misroute data to unintended chats without informed consent or verification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.