中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 75/100
Last scan:2 days ago Rescan
75 /100
feishu-mcp
Use when user asks about Feishu MCP (Model Context Protocol) integration for AI agents
SKILL.md exposes hardcoded credentials (appID and appSecret) for a Feishu application in plaintext, representing critical credential leakage.
Skill Namefeishu-mcp
Duration26.3s
Enginepi
Do not install this skill
Remove the hardcoded credentials from SKILL.md immediately. Credentials should never be documented in plaintext. Use environment variables or secure configuration management instead.

Attack Chain 3 steps

Impact Hardcoded credentials exposed in SKILL.md
SKILL.md:22
Escalation Attacker harvests appID and appSecret from documentation
SKILL.md:23
Impact Attacker uses credentials to access Feishu MCP API with document permissions
SKILL.md:21

Findings 3 items

Severity Finding Location
Critical
Hardcoded Application Secret Exposed
The appSecret 'BiL8CymBwxiA998MXxvUKbN23RhPsxAg' is hardcoded in plaintext within SKILL.md. If these are real credentials, they can be harvested and used to access the associated Feishu application with document permissions.
"appSecret": "BiL8CymBwxiA998MXxvUKbN23RhPsxAg"
→ Remove all credentials from documentation. Use environment variables or secure secret management. If these are production credentials, rotate them immediately.
 SKILL.md:23
Critical
Hardcoded Application ID Exposed
The appID 'cli_a926728f3e38dcba' is exposed in plaintext documentation.
"appID": "cli_a926728f3e38dcba"
→ Remove appID from documentation or use placeholder values.
 SKILL.md:22
Medium
External Network Endpoint Referenced
The skill references an external ByteDance/Feishu endpoint for MCP operations.
mcpUrl: https://feishu-openai-mcp-proxy.bytedance.net/mcp
→ Verify this is the legitimate Feishu MCP endpoint. Consider pinning to a specific version.
 SKILL.md:21
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md line 21: https://feishu-openai-mcp-proxy.bytedance.net/mcp
credential NONE ADMIN ✗ Violation SKILL.md lines 22-23: hardcoded appID and appSecret
2 findings
🔗
Medium External URL 外部 URL
https://feishu-openai-mcp-proxy.bytedance.net/mcp
SKILL.md:21
🔗
Medium External URL 外部 URL
https://xxx.feishu.cn/docx/ABC123def
SKILL.md:121

File Tree

1 files · 2.2 KB · 126 lines
Markdown 1f · 126L
└─ 📝 SKILL.md Markdown 126L · 2.2 KB

Security Positives

✓ No executable code present - only documentation
✓ No suspicious patterns like base64, eval, or obfuscation
✓ No filesystem, shell, or environment variable access declared
✓ No data exfiltration mechanisms detected beyond credential exposure