dot-skill

Warn

Audited by Socket on Jun 2, 2026

1 alert found:

Anomaly
AnomalyLOW
tools/feishu_mcp_client.py

No clear malicious payload is present within this Python snippet itself. The primary concerns are (1) supply-chain/execution risk from running `npx -y feishu-mcp` at runtime (dynamic resolution/installation/execution) and (2) plaintext storage of high-value Feishu credentials in a predictable file under the user’s home directory, plus (3) passing those secrets to a child process via environment variables and (4) writing fetched content to an arbitrary user-specified output path.

Confidence: 70%Severity: 65%
Audit Metadata
Analyzed At
Jun 2, 2026, 07:14 AM
Package URL
pkg:socket/skills-sh/titanwings%2Fcolleague-skill%2Fdot-skill%2F@47039d08fcf0330794caea14efdb5e183348f7bb
Security Audit — socket — dot-skill