中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 75/100
上次扫描:2 天前 重新扫描
75 /100
feishu-mcp
Use when user asks about Feishu MCP (Model Context Protocol) integration for AI agents
SKILL.md exposes hardcoded credentials (appID and appSecret) for a Feishu application in plaintext, representing critical credential leakage.
技能名称feishu-mcp
分析耗时26.3s
引擎pi
不要安装此技能
Remove the hardcoded credentials from SKILL.md immediately. Credentials should never be documented in plaintext. Use environment variables or secure configuration management instead.

攻击链 3 步

影响 Hardcoded credentials exposed in SKILL.md
SKILL.md:22
提权 Attacker harvests appID and appSecret from documentation
SKILL.md:23
影响 Attacker uses credentials to access Feishu MCP API with document permissions
SKILL.md:21

安全发现 3 项

严重性 安全发现 位置
严重
Hardcoded Application Secret Exposed
The appSecret 'BiL8CymBwxiA998MXxvUKbN23RhPsxAg' is hardcoded in plaintext within SKILL.md. If these are real credentials, they can be harvested and used to access the associated Feishu application with document permissions.
"appSecret": "BiL8CymBwxiA998MXxvUKbN23RhPsxAg"
→ Remove all credentials from documentation. Use environment variables or secure secret management. If these are production credentials, rotate them immediately.
 SKILL.md:23
严重
Hardcoded Application ID Exposed
The appID 'cli_a926728f3e38dcba' is exposed in plaintext documentation.
"appID": "cli_a926728f3e38dcba"
→ Remove appID from documentation or use placeholder values.
 SKILL.md:22
中危
External Network Endpoint Referenced
The skill references an external ByteDance/Feishu endpoint for MCP operations.
mcpUrl: https://feishu-openai-mcp-proxy.bytedance.net/mcp
→ Verify this is the legitimate Feishu MCP endpoint. Consider pinning to a specific version.
 SKILL.md:21
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md line 21: https://feishu-openai-mcp-proxy.bytedance.net/mcp
凭证 NONE ADMIN ✗ 越权 SKILL.md lines 22-23: hardcoded appID and appSecret
2 项发现
🔗
中危 外部 URL 外部 URL
https://feishu-openai-mcp-proxy.bytedance.net/mcp
SKILL.md:21
🔗
中危 外部 URL 外部 URL
https://xxx.feishu.cn/docx/ABC123def
SKILL.md:121

目录结构

1 文件 · 2.2 KB · 126 行
Markdown 1f · 126L
└─ 📝 SKILL.md Markdown 126L · 2.2 KB

安全亮点

✓ No executable code present - only documentation
✓ No suspicious patterns like base64, eval, or obfuscation
✓ No filesystem, shell, or environment variable access declared
✓ No data exfiltration mechanisms detected beyond credential exposure