send-feishu

The skill footprint is largely coherent with its stated purpose: it uses Feishu APIs to send text, cards, images, and files via webhook or API with token-based authentication. Major risks relate to credential exposure (token and app secrets) if logs or outputs leak them, and the potential for token leakage through in-session memory or misconfigured logging. There are no evident download/execute supply-chain risks, no hidden third-party exfiltration endpoints, and no autonomous real-world actions. Overall, the risk is moderate (data-in-transit and credential exposure concerns) and aligns with a purpose-built messaging integration; treat as SUSPICIOUS-to-MEDIUM risk, not benign due to credential handling in logs and environments. Recommend adding explicit secret masking, minimal-privilege credentials, and clear logging exclusions to reduce exposure.