feishu-cli-export

Fail

Audited by Snyk on May 18, 2026

Risk Level: HIGH
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill fetches and exports user-generated Feishu cloud documents and wiki pages (e.g., URLs like https://xxx.feishu.cn/docx/ and https://xxx.feishu.cn/wiki/) and explicitly reads/interprets the exported Markdown and downloaded images as part of its workflow ("读取导出的 Markdown 文件", "Read /tmp/doc_assets/image_*.png", "整合分析"), so untrusted third‑party content can directly influence agent decisions and actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. Most token-like strings are clearly placeholders (e.g., u-xxx, fldcnXXX, ou_xxx, , <node_token>, feishu://media/) or short/example values and are therefore ignored per the rules.

However, the example doc token "JKbxdRez1oNWEKxPz14cWMpBnKh" (used in the doc export-file examples) is a long, random-looking alphanumeric string that meets the high-entropy criteria and is not annotated as a placeholder. This value could plausibly be a real document token usable to perform an export, so it is flagged.

Ignored/accepted-as-non-secrets:

  • document_id: ABC123def456 — short/example-looking value, treated as example (low/medium entropy).
  • placeholders like u-xxx, fldcnXXX, ou_xxx, and angle-bracket tokens (<token>, <node_token>) — documentation placeholders per rules.
  • environment variable names (FEISHU_APP_ID / FEISHU_APP_SECRET) — names only, no values provided.
  • any truncated/replaced values (e.g., u-xxx) or obvious examples.

Therefore I mark the presence of at least one high-entropy, direct token-like value.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 01:48 PM
Issues
2
Security Audit — snyk — feishu-cli-export