Trust Assessment
feishu-bitable received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 4 medium, and 0 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Outdated Dependency: node-fetch.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded API Token in Example Code The `add_task.js` and `add_task_dynamic.js` files contain a hardcoded `appToken` (`D1albdySZaU6ncsx4WzcGZfOn1B`). While this appears to be example code, hardcoding sensitive tokens, even example ones, is a bad practice. If this token were real and accidentally deployed, it would lead to credential exposure. Best practice is to load such tokens from environment variables or a secure configuration store. Replace hardcoded tokens with references to environment variables (e.g., `process.env.FEISHU_APP_TOKEN`) or a secure configuration management system. Ensure that actual production tokens are never committed to version control. | LLM | add_task.js:24 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/autogame-17/feishu-bitable/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^16.3.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/feishu-bitable/package.json | |
| MEDIUM | Outdated Dependency: node-fetch The `node-fetch` package is pinned to version `2.7.0` in `package-lock.json` and `package.json`. This version is outdated and may contain known vulnerabilities that have been patched in newer versions (e.g., v3+). Using outdated dependencies can expose the skill to supply chain risks. Update `node-fetch` to the latest stable version (v3 or higher if compatible with the project's Node.js version) and ensure all other dependencies are up-to-date. Review changelogs for breaking changes. | LLM | package-lock.json:19 | |
| MEDIUM | Potential Command Injection via `process.argv` The `add_task_dynamic.js` script directly uses `process.argv` to capture `taskName` and `priority` without any input sanitization or validation before using them in the `newRecord` object, which is then sent as part of an API request body. If the `fields` object is not properly validated by the Feishu API, a malicious input for `taskName` or `priority` could potentially lead to unexpected behavior or data manipulation within the Bitable record, although direct command injection on the host is unlikely given the context of an API call. However, it represents a potential for data integrity issues or API abuse. Implement robust input validation and sanitization for all data derived from `process.argv` or any other untrusted source. Ensure that `taskName` and `priority` conform to expected formats and content before being used in API requests. | LLM | add_task_dynamic.js:26 |
Scan History
Embed Code
[](https://skillshield.io/report/249b703a4f16e691)
Powered by SkillShield