Trust Assessment
feishu-task received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 0 high, 5 medium, and 0 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Unsanitized user input in task origin URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/autogame-17/feishu-task/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@larksuiteoapi/node-sdk' is not pinned to an exact version ('^1.58.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/feishu-task/package.json | |
| MEDIUM | Unsanitized user input in task origin URL The `options.origin` value, which is user-controlled, is directly used as the `url` in the `origin` field of the Feishu task. If a malicious URL (e.g., `javascript:` scheme, or a URL pointing to a phishing site) is provided, and the Feishu platform renders this URL as a clickable link without proper sanitization, it could lead to Cross-Site Scripting (XSS) or phishing attacks against users viewing the task. This could potentially exfiltrate user data from the Feishu client. Sanitize or validate `options.origin` to ensure it's a safe and valid HTTP/HTTPS URL before passing it to the Feishu API. Consider using a URL validation library or explicitly whitelisting allowed URL schemes. | LLM | create.js:50 | |
| MEDIUM | Unsanitized user input in task summary/title The `options.summary` value, which is user-controlled, is directly used as the `summary` of the task and the `title` in the `origin.href` field. If `options.summary` contains malicious script (e.g., HTML/JavaScript tags) and the Feishu platform renders these fields without proper sanitization, it could lead to Cross-Site Scripting (XSS) attacks against users viewing the task, or manipulate the Feishu UI. Sanitize `options.summary` to remove or escape any potentially malicious HTML or script content before passing it to the Feishu API. | LLM | create.js:47 | |
| MEDIUM | Unsanitized user input in task description The `options.desc` (or `options.content`) value, which is user-controlled, is directly used as the `description` of the Feishu task. If this input contains malicious script (e.g., HTML/JavaScript tags) and the Feishu platform renders the task description without proper sanitization, it could lead to Cross-Site Scripting (XSS) attacks against users viewing the task. Sanitize `options.desc` (and `options.content`) to remove or escape any potentially malicious HTML or script content before passing it to the Feishu API. | LLM | create.js:48 |
Scan History
Embed Code
[](https://skillshield.io/report/903bf3554b425012)
Powered by SkillShield