Create Colleague

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about collecting workplace data, but it reaches into private chats, documents, browser sessions, and stored credentials with weak consent and scoping controls.

Review before installing. Use this only with explicit authorization from the person being modeled and from the workspace owner/admin. Avoid private chats, DMs, browser-profile scraping, and token-based collection unless there is a clear business need, written consent, and a retention/deletion plan. Store credentials in a secure vault where possible, rotate any tokens used for testing, and prefer manual redacted imports over ambient browser-session collection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (104)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: }) try: result = subprocess.run( ["npx", "-y", "feishu-mcp", "--stdio"], input=payload, capture_output=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ["npx", "-y", "feishu-mcp", "--stdio"], input=payload, capture_output=True, text=True, env=env,

Tainted flow: 'dl_url' from input (line 310, user input) → requests.get (network output)

Medium

Category: Data Flow
Content: dl_url = dl_data.get("downloadUrl") or dl_data.get("result", {}).get("downloadUrl") if dl_url: try: resp = requests.get(dl_url, timeout=15) return resp.text except Exception: pass
Confidence: 91% confidence
Finding: resp = requests.get(dl_url, timeout=15)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to send a real Feishu message to another user purely to discover a private chat ID. This creates an external side effect against a third party, can contact someone without their consent, and may leak that the operator is probing or profiling them.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill encourages writing ad hoc Python scripts for token exchange, contact lookup, message sending, and retrieval. This broadens the attack surface, bypasses safer fixed tooling, and makes it easier to mishandle secrets, over-collect data, or introduce unreviewed network behaviors.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The DingTalk path includes browser-based scraping of message history, which relies on a live logged-in session rather than a bounded API. That can capture more data than intended, is hard to audit, and risks accessing sensitive content under the operator's account context.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Reusing the operator's local Chrome login session to read internal Feishu documents grants the skill access through ambient browser credentials. This is risky because the agent may access documents beyond the user's immediate intent, and the access path is opaque and difficult to constrain or audit.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill exposes a destructive delete operation that permanently removes colleague directories. Even if intended for maintenance, a skill with broad triggers and file-write powers can turn this into accidental or malicious data loss if the slug is wrong or the command is invoked unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The browser-based collector launches a persistent Chromium context against an existing local Chrome profile to access DingTalk web sessions and scrape chat history. This grants the tool access to far more than the named colleague's data, including any authenticated web state in that profile, making the capability highly privacy-invasive and broader than a narrowly scoped data collector.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The fallback search recursively enumerates departments and users across the organization to locate a match, expanding collection beyond a single specified colleague. In a skill whose purpose is to distill one coworker, this broad directory discovery increases privacy exposure and can facilitate bulk organizational reconnaissance.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script automatically stores user OAuth access and refresh tokens and also prints part of the access token to stdout. In a skill whose purpose is colleague data collection, handling reusable user credentials materially expands blast radius: anyone with local access, logs, shell history capture, or stolen config files may reuse tokens to access private chats and other user-scoped resources.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The setup instructions request im:message and im:chat user scopes, and the comments explicitly describe them as allowing reading/sending messages, even though the collector is for data gathering. Requesting broader messaging capability than needed violates least privilege and increases the chance that a compromised skill or operator could send messages as the user, impersonate them, or manipulate conversations.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script explicitly reuses the user's local Chrome profile and states it can access all Feishu content the logged-in user can reach, which creates broad, implicit access to sensitive documents, sheets, and chat history far beyond a narrowly scoped colleague-distillation task. In this skill context, that overcollection is especially dangerous because the tool is designed to aggregate personal and workplace data into an AI persona, increasing the chance of unauthorized scraping, privacy violations, and mass exfiltration of enterprise data.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Running `npx -y feishu-mcp --stdio` introduces a supply-chain execution path: code from the npm ecosystem can be fetched and executed at runtime, outside the skill's own reviewed codebase. In a skill whose purpose is broad Feishu data collection and distillation, this is especially sensitive because the external package receives access to document content, chat history, and credentials.

Description-Behavior Mismatch

Low

Confidence: 89% confidence
Finding: The code persists App ID/Secret and potentially a user token in a local JSON file under the user's home directory. This creates a local secret-at-rest risk because other local users, malware, backups, or accidental sharing of the config directory could expose long-lived credentials that grant access to Feishu data.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The collector is explicitly configured to enumerate public channels, private channels, group DMs, and direct messages, which exceeds a minimal-collection approach for building a workplace persona. In skill context, this is especially dangerous because the tool is designed to profile a named colleague, so broad access to private communications materially increases privacy invasion and insider surveillance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The installation guide explicitly instructs users to paste and save a Slack Bot OAuth token into a local JSON file, but it does not warn that this token is a sensitive secret equivalent to API credentials. If that file is stored with weak permissions, synced to cloud storage, committed to a repository, or read by other local processes, the token could be abused to access Slack workspace data within its granted scopes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This section documents collecting broad Slack history across public channels, private channels, group DMs, and direct messages, but it does not provide an explicit privacy, consent, or authorization warning. In the context of a skill designed to 'distill a colleague' by harvesting communications, omission of such guardrails materially increases the risk of over-collection, unauthorized surveillance, and privacy violations affecting employees and third parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly encourages users to ingest coworkers' messages, emails, screenshots, and subjective descriptions to build a behavioral replica, but it does not pair this with clear consent, privacy, retention, or organizational-policy warnings. That creates a real privacy and compliance risk because users may process personal or regulated communications without authorization.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README recommends WeChat export and decryption tools for chat-history ingestion but gives no strong warning about handling private conversations, credentials, decrypted databases, or local plaintext artifacts. In practice, this guidance can lead users to expose highly sensitive personal and business communications during extraction and import.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The roadmap explicitly promotes automatic collection of private workplace and personal communications, plus voice cloning, without any accompanying mention of consent, authorization boundaries, retention limits, or privacy safeguards. In this skill context, the danger is elevated because the product is specifically designed to ingest sensitive real-person data and recreate identity-like behavior, which could enable surveillance, impersonation, or non-consensual profiling if implemented as described.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The roadmap proposes iMessage auto-read and ongoing 'active evolution' through periodic absorption of new data sources, again without warning users about continuous access, scope of monitoring, or consent from affected individuals. This is especially dangerous here because the skill's purpose is to continuously model real people, so silent or persistent ingestion of new personal data materially increases the risk of covert monitoring, excessive collection, and identity misuse.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The evolution triggers include ordinary conversational phrases like 'I have new files' or 'that's wrong,' which are likely to occur outside the intended administrative context. Because this skill can read sensitive sources and modify files, accidental activation materially increases risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The creation triggers are broad, conversational, and not tightly scoped to an intentional high-risk workflow. In a skill that can collect chats, documents, emails, and write files, vague triggers raise the chance of unintended execution and consent confusion.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill advertises auto-collection of Feishu/DingTalk data and persona generation without a prominent privacy, consent, and data-impact warning. Given that the workflow targets private chats, documents, emails, and behavioral profiling, the lack of up-front warning materially increases the likelihood of inappropriate collection.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The instructions tell the agent to contact another person to obtain a chat identifier, but do not clearly warn the operator that a real outbound message will be sent. Hidden third-party contact is especially dangerous in a profiling workflow because it creates notice, privacy, and trust harms beyond the operator's own account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal