Feishu PDF Uploader

Security checks across malware telemetry and agentic risk

Overview

This is a Feishu/Lark cloud-drive uploader whose sensitive behavior is mostly expected and disclosed, though users should confirm the exact file, folder, and credential source before use.

Install only if you want an agent to upload named local files to Feishu/Lark. Confirm the file path, target folder token, and Feishu account before each upload, and use a least-privileged Feishu app because the skill can transmit any file path you provide to that cloud destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no explicit permissions even though its documented behavior requires reading local files, accessing credentials/configuration, and making outbound network requests. This creates a transparency and consent problem: users and orchestrators may invoke the skill without realizing it can access sensitive local data and transmit content externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates the skill's actual behavior by omitting reads from local configuration files containing Feishu credentials and by including an alternate implementation that does not match the described upload flow. Behavior-description mismatches are dangerous because they bypass informed user consent and can hide credential access or unintended data handling beyond the file the user expected to upload.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script implicitly reads Feishu credentials from ~/.openclaw/openclaw.json, which expands its access beyond explicitly supplied inputs. This can cause unintended credential use and secret exposure from an unrelated local application context, especially when a user runs the skill expecting only the provided CLI arguments or environment values to be used.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill claims to perform multipart/chunked file upload, but it never calls the part-upload endpoint and never transmits file bytes. This mismatch can mislead users and downstream agents into believing a document was uploaded when it was not, causing integrity and workflow failures around document handling.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The code advertises that it uploads local PDFs to Feishu, but it never sends file content to Feishu despite reading the file into memory. This creates a deceptive capability gap that can cause users or higher-level automation to assume sensitive records were archived or delivered when they were not, potentially leading to data loss, compliance failure, or broken audit trails.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger text is overly broad ('Use when uploading PDF or any files to Feishu') and can cause the skill to be selected in many contexts involving arbitrary file uploads. In a skill that reads local files and uses stored credentials to send data to a cloud service, broad invocation criteria increase the chance of accidental exfiltration of sensitive files.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The script accesses secrets from environment variables and a local config file without prominently warning the user that credentials will be discovered and transmitted to an external service. In a skill/agent context, silent secret sourcing reduces user awareness and increases the chance of accidental credential use.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase at line 11 is broad enough to activate the skill for generic upload/report-saving requests that may not explicitly mention Feishu or PDFs. In an agent environment, this can cause unintended invocation of a file-upload capability, increasing the risk of accidental exfiltration of local documents to a third-party cloud service.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example phrase '保存报告到云上' broadens user expectations beyond the declared trigger list and suggests the skill may handle vague cloud-save requests. This ambiguity can cause the agent to route unrelated 'save to cloud' intents into a Feishu upload workflow, potentially transferring sensitive files to the wrong destination.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal