dot-skill

No clear malicious payload is present within this Python snippet itself. The primary concerns are (1) supply-chain/execution risk from running `npx -y feishu-mcp` at runtime (dynamic resolution/installation/execution) and (2) plaintext storage of high-value Feishu credentials in a predictable file under the user’s home directory, plus (3) passing those secrets to a child process via environment variables and (4) writing fetched content to an arbitrary user-specified output path.