feishu-cli-export

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs exporting and then reading Feishu cloud documents and knowledge-base content (e.g., "读取导出的 Markdown 文件" and "使用 Read 工具读取图片") via feishu-cli, meaning the agent ingests user-generated Feishu/wiki content from third-party servers which could contain instructions that influence its actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that look like real credentials.

Flagged:

• JKbxdRez1oNWEKxPz14cWMpBnKh — this exact string appears as a <doc_token> in examples for feishu-cli doc export-file. It is a long, random-looking token (high entropy) and could be a real, usable document token if not meant as a placeholder, so I treat it as a potential secret.

Ignored (not flagged) and why:

• ABC123def456 — present in front matter as a document_id example; relatively low-entropy / recognizable pattern and clearly an example, so treated as non-sensitive.
• u-xxx, fldcnXXX, ou_xxx, DOC_TOKEN, , "xxx"/"your-service-role-key", and similar xxx/placeholder patterns — documentation placeholders per rules, explicitly ignored.
• feishu://media/, token="xxx", and other template/tag forms — placeholders or examples, not literal credentials.
• Simple/example values or parameter names (FEISHU_APP_ID / FEISHU_APP_SECRET mentioned as environment variables but without values) — just variable names, no secrets present.

Conclusion: one high-entropy literal token (JKbxdRez1oNWEKxPz14cWMpBnKh) appears and should be considered a potential leaked credential; all other candidate strings are placeholders or low-entropy examples and are ignored.