The Agent Skills Directory

[DATA_EXFILTRATION]: The script lib/auth.js contains logic to search for .env files in parent directories up to four levels deep (../../../../.env). This traversal pattern could lead to the unauthorized exposure of environment variables from the host system. Additionally, download_file.js allows writing files from Feishu to an arbitrary local path provided as an argument, which could be used to overwrite sensitive files.
[EXTERNAL_DOWNLOADS]: Multiple files, including index.js and create.js, depend on local modules situated outside the skill's root directory (../feishu-common/index.js and ../common/env). These dependencies are not included in the skill's source code, making their behavior unverifiable.
[PROMPT_INJECTION]: The skill's primary function is to read content from external Feishu documents. This data is ingested into the agent's context without adequate sanitization or boundary markers to prevent indirect prompt injection. input_guard.js only provides structural sanitization for API compatibility.
[CREDENTIALS_UNSAFE]: The skill stores access tokens in a shared memory file (../../../memory/feishu_token.json) outside its directory. This shared cache, combined with the broad search for .env files, increases the risk of credential leakage between different skills or processes.
[COMMAND_EXECUTION]: The download_file.js utility takes a file path as an argument and writes data to it using fs.createWriteStream. An attacker could potentially use this to overwrite critical configuration or shell profile files if the agent is instructed to download a malicious payload to a sensitive location.

feishu-doc