feishu-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt's mcporter examples include app_token and similar credential fields passed inline in JSON command arguments (e.g., "app_token":"xxx"), which encourages supplying real tokens directly on the command line and would require the LLM to embed secret values verbatim if populated.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These URLs include a direct raw GitHub .sh script that the prompt tells users to execute via curl | bash (a high-risk pattern because it runs unvetted remote code), while the localhost callback URLs are benign OAuth redirect endpoints and the GitHub repo itself is only as trustworthy as its author and review history.