Back to skill

Security audit

personal-worklist-via-feishu

Security checks across malware telemetry and agentic risk

Overview

This Feishu worklist skill is mostly legitimate, but it can create persistent reminders and modify task/schema/config state with insufficient user control.

Install only if you are comfortable granting this skill access to your Feishu worklist, Feishu/OpenClaw credentials, and recurring OpenClaw cron reminders. Before first use, review or disable automatic reminder setup, avoid running set_config.js or update_header.js casually, and keep sensitive task details out of shared logs or example files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document claims the target worklist becomes locked and forbids configuration-changing operations, yet it still exposes a credential-mutating command surface via set_config.js. That contradiction increases the chance an agent or maintainer will alter credentials or redirect operations to another dataset despite the stated lock, undermining tenant and data-boundary guarantees.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The script summary says init_table.js has no parameters, while earlier sections make --open-id mandatory for access control. This inconsistency can cause the agent to invoke initialization without binding the table to the correct user, which may create inaccessible tables or mis-assign ownership and permissions.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The test document instructs the agent to immediately write to the Feishu table when task fields are present, but the skill explicitly forbids executing any script before language confirmation. This weakens a safety gate and could cause unintended data modification or workflow execution without completing the required confirmation step, especially in an agentic environment that may treat tests as behavioral authority.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script documentation states that only --task is required, and the implementation silently fills source, priority, and status with defaults. In this skill, the manifest explicitly requires the agent to confirm required fields before execution, so this mismatch can cause unauthorized or inaccurate task creation and bypass user-intent validation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The task creation flow does not enforce explicit confirmation of priority and deadline even though the skill contract says these fields are mandatory and must be confirmed one by one. This creates a policy-bypass condition where an agent or caller can write records with inferred or missing values, reducing integrity of user data and enabling unintended automation actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
When no source is provided, the code defaults to 计划任务[P]/Planned[P], but the manifest requires omitted source to be auto-classified as 临时任务[U]. This is a logic-integrity flaw that can misclassify records, affect downstream filtering/reporting/reminders, and cause users to act on incorrect task metadata.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The add-task script performs more than record insertion: it writes local state and spawns a secondary reminder-setup script. This broadens capability and side effects beyond the apparent primary action, which is risky in an agent setting because creating a task can silently mutate scheduler state and local files.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script's header comments state that field type mismatches require user confirmation before updating, but the implementation later performs the update automatically. This is a real integrity and trust issue: operators may rely on the documented safety behavior and run the script expecting non-destructive behavior, while it can silently alter schema and potentially disrupt existing data or workflows.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The inline comment says mismatched field types will be 'prompted and asked', but the code immediately calls updateField without any confirmation gate. In this skill context, that can unexpectedly mutate a user's Feishu table schema, causing data corruption, application breakage, or loss of user-customized configuration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script rewrites SKILL.md with a new hard-coded header that changes the skill name and behavior description from the declared metadata. In an agent skill system, documentation and manifest/header data drive how the agent is invoked and constrained, so silently replacing them can misrepresent capabilities and alter execution behavior in ways the user or maintainer did not authorize.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The injected header states that any modification to user computer configuration or OpenClaw configuration must require explicit confirmation, but this same script immediately rewrites SKILL.md without any confirmation flow. That contradiction is dangerous because it undermines policy transparency and allows configuration-like changes to agent behavior under the guise of documented safety rules.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The weak-trigger rule allows ordinary work-related conversation to be interpreted as a command to record or act on tasks. Overly broad activation can cause unintended data entry, state changes, or follow-on automation based on casual user messages that were not meant as instructions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Several trigger phrases such as status words and generic workflow terms are common in everyday conversation. In a chat-integrated skill, generic triggers raise the risk of accidental invocation and unintended updates to the worklist or reminder system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill authorizes automatic openclaw cron add/delete without a clear upfront warning that it will create or remove scheduled tasks on the host system. Silent scheduler changes create persistence and autonomous execution risk, especially because reminders continue operating after the immediate conversation ends.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The prompt normalizes immediate state-changing writes to an external table without any user-facing notice that data will be modified. In this skill context, the action targets a personal work ledger in Feishu, so silent writes can create privacy, integrity, and consent issues if the agent records content based on an ambiguous trigger or incomplete user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
After the first successful task creation, the script automatically launches reminder setup without an explicit warning or consent step. In this skill context, that is especially risky because it turns a simple data-entry operation into a scheduler-modifying action, potentially creating persistent automated behavior the user did not knowingly request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script retrieves task records from Feishu and prints potentially sensitive fields such as task names, issues, and notes directly to stdout without any minimization, masking, or user-facing disclosure. In agent or shared logging environments, stdout is often captured centrally, which can expose personal work details to operators, logs, or downstream systems beyond the intended user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`checkConnection()` returns the live tenant access token to any caller on success. Even though this may be intended for diagnostics, exposing a bearer token through a general utility function increases the chance of accidental logging, downstream leakage, or misuse by other parts of the skill. In this Feishu integration context, the token grants API access for the tenant and should be treated as a secret, so returning it materially increases risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly accepts Feishu API credentials via command-line arguments and writes them into config.js in plaintext. This is dangerous because secrets passed on the command line may be exposed through shell history or process listings, and storing them in a source file increases the chance of accidental disclosure through logs, backups, or version control. In the context of a worklist skill backed by Feishu APIs, leaked credentials could allow unauthorized access to the table or related workspace data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script makes persistent scheduling changes automatically by invoking openclaw cron add through execSync, and the surrounding skill metadata explicitly says this can happen without user awareness. In an agent context, silent creation of recurring jobs expands the system's future execution surface and can cause unauthorized notifications, unintended data processing, or durable side effects without informed consent.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The comments describe operation 'without user awareness,' which is risky in this agent setting because it normalizes hidden automation that performs durable actions. While comments do not execute, they indicate intended behavior that bypasses transparency and consent, increasing the chance the agent will schedule background tasks in a way users did not expect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script overwrites the skill's primary markdown definition file in place with no prompt, backup, integrity check, or warning. In this skill context, SKILL.md appears to control operational rules and trigger behavior, so an unchecked overwrite can silently alter agent behavior, remove safeguards, or corrupt the skill definition.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill instructs persistence of user language preferences across sessions without consent, retention limits, or minimization guidance. Even though language preference is relatively low sensitivity, storing user-specific metadata indefinitely without notice expands the profile of persistent data the system keeps.

Ssd 3

High
Confidence
96% confidence
Finding
The skill explicitly directs automatic reading of APP_ID and APP_SECRET from openclaw.json, meaning the agent is instructed to access sensitive secrets from local configuration rather than using a scoped secret manager or delegated token flow. This expands secret exposure to the skill layer and increases the blast radius if the skill is misused or compromised.

Ssd 3

Medium
Confidence
85% confidence
Finding
Automatically extracting sender_id/open_id from conversation context and passing it to scripts creates an identity-binding action without explicit consent or minimization. In this skill, that identifier is used to grant access and route operations, so misuse could link the wrong identity to a table or expose records to an unintended account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/add_task.js:51

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup_reminders.js:170