Trust Assessment
feishu-doc received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 7 findings: 1 critical, 2 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Arbitrary File Write via Unsanitized Output Path, Excessive Permissions: .env File Loading from Parent Directories.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 31/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Write via Unsanitized Output Path The `download_file.js` script uses `process.argv[4]` directly as the `outputPath` for `fs.createWriteStream`. This allows an attacker to specify an arbitrary file path on the system, leading to arbitrary file write. This vulnerability can be exploited to overwrite critical system files, inject malicious code, or exfiltrate data by writing it to a publicly accessible location. Sanitize the `outputPath` to ensure it is within an allowed, sandboxed directory. For example, restrict it to a specific temporary directory or a subdirectory of the skill, and validate that it does not contain path traversal sequences (e.g., `../`). | LLM | download_file.js:18 | |
| HIGH | Excessive Permissions: .env File Loading from Parent Directories The `lib/auth.js` module attempts to load `.env` files from parent directories (`../../../.env`, `../../../../.env`). This design choice allows the skill to access environment variables defined outside its intended scope, potentially exposing sensitive configuration from the host system or other skills running in the same environment. This breaks skill isolation and can lead to data exfiltration. Restrict `.env` file loading to the skill's own directory or a clearly defined, isolated configuration directory. Avoid traversing parent directories to prevent unintended access to host or other skill configurations. | LLM | lib/auth.js:8 | |
| HIGH | Shared Token Cache Outside Skill's Isolated Scope The `lib/auth.js` module stores the Feishu access token in a shared cache file located at `../../../memory/feishu_token.json`. This means the token is accessible and potentially modifiable by other skills or processes that can access this shared `memory` directory. This breaks isolation between skills and could lead to token compromise or unauthorized use by other components. Store tokens and other sensitive data within the skill's own isolated storage directory. Avoid shared directories for credentials to maintain proper skill isolation and prevent cross-skill data leakage or tampering. | LLM | lib/auth.js:44 | |
| MEDIUM | Unpinned npm dependency version Dependency '@larksuiteoapi/node-sdk' is not pinned to an exact version ('^1.58.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/feishu-doc/package.json | |
| MEDIUM | Unrestricted Document Permission Granting The `create.js` script allows granting edit permissions to a user ID (`options.grant`) provided via command-line arguments. If the skill is invoked with an arbitrary `user_id`, it could be used to grant unintended access to newly created documents. The `member_type` logic also makes a guess (`openid` vs `userid`), which could be a point of failure if not handled robustly by the Feishu API. Implement stricter validation or whitelisting for `user_id` when granting permissions. Ensure that the skill only grants permissions to pre-approved or contextually appropriate users, rather than arbitrary inputs. | LLM | create.js:30 | |
| LOW | Local Dependency Outside Skill Directory The `index.js` file depends on `../feishu-common/index.js`. This indicates a local dependency outside the immediate skill directory. While not a public supply chain risk, it means the security posture of this skill is directly tied to the `feishu-common` module, which is not provided in this analysis context. If `feishu-common` is compromised or has vulnerabilities, this skill would inherit them. It also implies a broader trust boundary than a self-contained skill. Ensure that `feishu-common` is thoroughly vetted and maintained. For better isolation and clarity, consider bundling `feishu-common` as a sub-module or a clearly defined internal dependency within the skill's own directory, or explicitly documenting its security implications. | LLM | index.js:1 | |
| INFO | Unpinned Dependency in package.json The `package.json` specifies `"@larksuiteoapi/node-sdk": "^1.58.0"`. The caret (`^`) allows for minor and patch updates, which could introduce breaking changes or vulnerabilities if a new version is published with malicious code or regressions. While `package-lock.json` pins the exact version, the `package.json` itself is not strictly pinned. Pin dependencies to exact versions (e.g., `"1.58.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly audit and update dependencies. | LLM | package.json:6 |
Scan History
Embed Code
[](https://skillshield.io/report/829f526a198a3096)
Powered by SkillShield