ClawHub
Back to skill

Security audit

Feishu Calendar Intelligent Scheduler

Security checks across malware telemetry and agentic risk

Overview

This calendar scheduling skill includes unrelated publishing and license-management tools with embedded credentials and broad upload behavior, so it needs review before installation.

Review or remove scripts/api_publisher.py, scripts/license_manager.py, and other developer-only tooling before installing. Treat the embedded ClawHub token as exposed, and require explicit previews and confirmation before any real bulk calendar changes, attendee notifications, report exports, or local caching of calendar data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares only Feishu calendar tools, but the static analysis indicates broader capabilities including file read/write, shell, and network access. That mismatch is dangerous because a calendar scheduler does not need unrestricted local filesystem, shell, or arbitrary network behavior, and these capabilities could enable data exfiltration, unauthorized modification, or hidden secondary functions without user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a severe description-behavior mismatch: the skill claims to be a calendar scheduler, but analysis indicates packaging/distribution tooling, remote upload to external services, hardcoded API token use, and license/key management. Hidden remote publishing, embedded credentials, and unrelated distribution features strongly suggest covert functionality that could exfiltrate skill contents, abuse external APIs, or compromise user environments beyond the advertised calendar scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains a hard-coded bearer token directly in source code, which exposes live credentials to anyone who can read the file, repository, logs, or packaged skill contents. Because this skill is described as a calendar scheduler, embedding a publisher credential is unrelated to normal runtime behavior and significantly increases the chance of unauthorized API access, account abuse, or further supply-chain compromise.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code recursively collects files from the skill directory and uploads them to an external API, which exceeds the stated purpose of a Feishu calendar scheduling skill and creates a data exfiltration path. In context, the mismatch between declared functionality and actual behavior is especially concerning because the upload may include source, docs, config, and other sensitive local contents.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
`generate_license` returns `secret_key` in its result object despite a comment explicitly stating it should not. Any caller, log sink, debug output, or API wrapper using this return value could unintentionally expose the signing key, allowing attackers to forge valid licenses and fully bypass license enforcement.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Although the save routine avoids persisting the key, the CLI `init` flow later prints the full secret key to stdout, which is commonly captured by terminals, shell history, CI logs, remote session transcripts, or support tooling. Exposure of the HMAC secret enables arbitrary license creation and invalidates the trust model of the verifier.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill advertises bulk meeting creation, modification, cancellation, and automatic invitation sending without clearly warning users about the operational impact. In a calendar-management context, missing warnings can lead to accidental mass changes, unwanted attendee notifications, and disruption across teams if the feature is triggered incorrectly or abused.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The reporting and analytics features process meeting participation and utilization data, but the description does not warn users about the privacy implications. Even if intended for legitimate analytics, omission of privacy notice can cause unanticipated collection, analysis, or export of attendance-related information that may be sensitive in enterprise environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends both the bearer token and collected local file contents to remote endpoints without an explicit consent prompt or clear disclosure at execution time. Even if intended as a developer tool, silent transmission of local contents is risky because users may run it from a repository containing secrets or proprietary material, making unintended disclosure likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes the secret key to `.license_secret` without setting restrictive file permissions or warning the operator about the sensitivity of the credential. On multi-user systems or misconfigured environments, other users or processes may read the file and obtain the signing secret, enabling license forgery.

Missing User Warnings

High
Confidence
99% confidence
Finding
The initialization command prints the entire secret key directly to stdout with no warning. This is dangerous because command output is often logged or shared, and once the signing key is exposed an attacker can mint valid licenses indefinitely until the key is rotated.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.