feishu-doc-scraper — agentic threat model
The feishu-doc-scraper agent presents moderate-to-high risk due to its local file-writing capabilities and headless browser execution, which could be exploited for local file overwrite or server-side request forgery (SSRF) if fed malicious Feishu documents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The description does not specify which foundation models are used to drive this agent skill or if it relies purely on deterministic programmatic logic wrapped as an agent skill.
Acts as a data ingestion pipeline extracting Feishu/Lark docs, spreadsheets, and transcripts. Risks include data exfiltration of sensitive corporate knowledge bases and potential ingestion of poisoned/malicious document content that could exploit downstream parsers.
Utilizes lark-cli API and a browser-DOM fallback to scrape content. Insecure tool integration is a primary threat; malicious Feishu documents could exploit the headless browser or the markdown conversion logic to execute arbitrary code or write to unauthorized local paths.
The agent runs locally, calling external APIs, launching a headless browser, and writing files to the local filesystem. This poses risks of local directory traversal, host file overwrite, and potential sandbox escape via the headless browser.
Not certain from the listing — No logging, auditing, or guardrail mechanisms are mentioned to monitor the headless browser's behavior or validate the integrity of the written markdown files.
Requires Feishu/Lark API credentials and session cookies for browser-DOM fallback. Storing and handling these highly sensitive authentication tokens poses significant credential exposure and unauthorized data access risks.
As an open-source community agent skill, it may be integrated into larger multi-agent workflows. A compromise in this scraper could allow an attacker to feed malicious payloads upstream to other agents in the ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).