create-boss

SUSPICIOUS: the overall purpose is coherent, but the footprint is broader than necessary and underspecified in key places. Sensitive workplace data collection is central to the skill, yet auto-collector/MCP/browser tooling and Bash-enabled file operations create medium-to-high security risk without clear endpoint, auth, or safety constraints.

No clear malicious payload is present within this Python snippet itself. The primary concerns are (1) supply-chain/execution risk from running `npx -y feishu-mcp` at runtime (dynamic resolution/installation/execution) and (2) plaintext storage of high-value Feishu credentials in a predictable file under the user’s home directory, plus (3) passing those secrets to a child process via environment variables and (4) writing fetched content to an arbitrary user-specified output path.