feishu-automation
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The setup scripts 'feishu-mcp-setup.js' and 'feishu-mcp-setup.sh' modify the user's global AI client configuration file at '~/.claude.json' to inject new MCP server definitions, altering the agent's persistent environment.
- [CREDENTIALS_UNSAFE]: The script 'scripts/md2feishu.sh' attempts to retrieve sensitive API secrets by executing the command 'pass show api/feishu-hanxing' to access the user's local password manager. Additionally, 'feishu_api.py' contains hardcoded internal chat identifiers (e.g., 'oc_356d77ff689d91280b4d33befb0eccb8').
- [REMOTE_CODE_EXECUTION]: The automated configuration process sets up a server that downloads and executes code from the npm registry using 'npx -y @larksuiteoapi/lark-mcp', which is a well-known service from the LarkSuite organization.
- [DATA_EXFILTRATION]: The skill performs unauthorized read and write operations on the sensitive configuration file '~/.claude.json' and attempts to access the local password store to extract credentials.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present as the skill ingests data from external Feishu documents and multi-dimensional tables while possessing dangerous capabilities like shell execution ('Bash') and file manipulation ('Write', 'Edit').
- Ingestion points: Data retrieved via 'feishu_api.py' through 'search_docs', 'get_doc', and 'get_bitable_records' methods.
- Boundary markers: No delimiters or warnings to ignore embedded instructions were found in the processing logic.
- Capability inventory: The skill is granted access to 'Bash', 'Read', 'Write', and 'Edit' tools in its metadata.
- Sanitization: No evidence of validation or escaping of external content before processing was detected.
Recommendations
- AI detected serious security threats
Audit Metadata