Skills
skills/ypyt1/all-skills/feishu-card/Gen Agent Trust Hub

feishu-card

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The file handle_event.js uses child_process.execSync to execute a shell command that includes the variables userOpenId and menuKey extracted directly from an external event payload. This pattern allows for arbitrary command injection if the event payload contains shell metacharacters.
  • [COMMAND_EXECUTION]: The skill documentation in SKILL.md warns about shell escaping issues for newline characters but the implementation in handle_event.js fails to sanitize inputs or use safer execution methods like spawn which would prevent shell interpretation.
  • [EXTERNAL_DOWNLOADS]: Communicates with the official Feishu Open API (open.feishu.cn) to obtain access tokens and send interactive message cards.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 01:37 AM