Trust Assessment
feishu-message received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 2 high, 4 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary command execution, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/autogame-17/feishu-message/send-audio.js:30 | |
| CRITICAL | Network egress to untrusted endpoints Axios POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/autogame-17/feishu-message/send-audio.js:68 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/feishu-message/send.js:11 | |
| CRITICAL | Skill Allows Upload of Arbitrary Local Files The `send-audio.js` script allows uploading an arbitrary file from the local filesystem to Feishu via the `--file` option. An attacker or a malicious LLM prompt could specify paths to sensitive files (e.g., configuration files, private keys, user data, `.env` files) for exfiltration to an external Feishu chat. Restrict the `--file` option to a specific, sandboxed directory, or implement strict validation on file types and locations. Consider if the skill truly needs to upload *any* file or only specific media types from designated locations. | LLM | send-audio.js:100 | |
| HIGH | Feishu API Token Cached to Disk The Feishu `tenant_access_token` is cached unencrypted to `../../memory/feishu_token.json`. This token grants API access and could be read by other processes or skills if the `memory` directory is not adequately protected, leading to unauthorized access to Feishu resources. This pattern is repeated across multiple scripts (`get.js`, `send-audio.js`, `get_latest_file.js`). Implement a more secure credential storage mechanism (e.g., OS keyring, encrypted storage) or ensure strict file system permissions on the `memory` directory to prevent unauthorized access. | LLM | get.js:8 | |
| HIGH | Destructive Chat Disbandment Capability The `disband_chat.js` script provides the ability to permanently delete any Feishu chat given its `chatId`. This is a highly destructive operation that, if misused by a malicious prompt or an attacker, could lead to significant data loss, disruption of communication, or denial-of-service within the Feishu environment. Implement stricter access control for the skill, requiring explicit user confirmation for destructive actions. Consider if this functionality should be exposed to an LLM at all, or if it should be restricted to administrative contexts. | LLM | disband_chat.js:21 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/autogame-17/feishu-message/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@larksuiteoapi/node-sdk' is not pinned to an exact version ('^1.58.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/feishu-message/package.json | |
| MEDIUM | Broad Information Disclosure via Feishu API Several scripts retrieve and output potentially sensitive information from the Feishu API based on user-provided IDs.
- `get_chat_info.js` exposes chat details (e.g., members, names, descriptions).
- `get_latest_file.js` exposes file metadata (e.g., `file_key`, `name`, `size`, `uploader`) and can resolve P2P chat IDs.
- `list_pins.js` exposes content of pinned messages.
If an LLM can be prompted to provide valid `chat_id` or `user_id` values, it could exfiltrate this information, potentially revealing private communications or internal data. Implement stricter access control for the skill, or redact sensitive fields from the output before presenting them to the user or LLM. Ensure that the LLM's access to these tools is carefully managed. | LLM | get_chat_info.js:25 | |
| MEDIUM | Child Process Spawning with User Arguments The `index.js` and `send.js` scripts use `child_process.spawn` to execute other Node.js scripts, passing user-controlled command-line arguments directly. While the target scripts generally use robust argument parsing (e.g., `commander`) or pass arguments to APIs, which mitigates direct shell injection, this pattern still presents a risk if a child script were to have a vulnerability to specific command-line options (e.g., `--eval` or path traversal in file operations). Additionally, some child scripts (`list_pins_v2.js`, `disband_chat.js`, `get_chat_info.js`, `list_pins.js`) directly use `process.argv[2]` for arguments, which is less robust than `commander` and could be more susceptible to unexpected input. Ensure all child scripts use robust argument parsing libraries like `commander`. Thoroughly sanitize or validate all user-provided arguments before passing them to `spawn` or directly using `process.argv`. Avoid passing raw user input to any function that could interpret it as code or a file path without strict validation. | LLM | index.js:14 |
Scan History
Embed Code
[](https://skillshield.io/report/679c8f64f5cf9822)
Powered by SkillShield