The Agent Skills Directory

[PROMPT_INJECTION]: The skill's SKILL.md file contains explicit instructions to the AI agent to ignore and not read or analyze the contents of the scripts/ directory. This is a direct attempt to bypass security oversight and influence the analysis process.
[COMMAND_EXECUTION]: Multiple scripts, including scripts/table/batch-create.js and scripts/record/create.js, use execSync to execute shell commands. Specifically, they use wmic to retrieve sensitive system-level information such as the Motherboard Serial Number, CPU ProcessorId, and BIOS UUID.
[DATA_EXFILTRATION]: The skill harvests unique hardware identifiers from the host machine to generate a 'machineId'. This identifier is part of an obfuscated licensing system that likely transmits this fingerprinting data to an external server (shop.wangchengq.com) for tracking or authorization purposes without the user's explicit consent.
[EXTERNAL_DOWNLOADS]: Hardcoded logic within the obfuscated scripts references an external domain (shop.wangchengq.com) which is not part of the official Feishu API ecosystem. This domain is used for license management and potentially for reporting harvested system data.
[OBFUSCATION]: All JavaScript files in the scripts/ directory are heavily obfuscated. While the developer claims this is to save tokens, it effectively hides the internal logic and suspicious fingerprinting behavior from standard inspection.

feishu-bitable