语音交互技能-feishu&qq-byLi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu voice skill, but it also ships high-impact scripts that modify another OpenClaw extension and execute unverified install-time code.

Install only after reviewing the shell scripts. Avoid running fix-debug-leak.sh unless you intentionally want this package to modify your QQBot extension and have backups. Prefer environment variables over openclaw.json for Feishu credentials, disable the HuggingFace mirror if you do not trust it, and do not use this with sensitive voice/chat data until the privacy wording and TTS script safety are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (27)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes access to environment variables, file reads/writes, shell execution, and network communication, yet no explicit permissions are declared. This creates an authority gap where operators may install the skill without understanding its actual capabilities, increasing the chance of over-privileged or unsafe deployment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill is presented as a Feishu voice interaction tool, but the documentation also discloses a script that modifies other OpenClaw extensions under /root/.openclaw/extensions/qqbot. Cross-extension source modification is unrelated to the stated function and is dangerous because it can silently alter trusted components, widen blast radius, and introduce supply-chain style persistence or integrity loss.

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The report claims all paths use environment variables or relative paths, but it also discloses a concrete `/root/.openclaw/workspace/releases/...` path. Even though this is only documentation, it leaks host filesystem layout and contradicts the stated privacy posture, which can aid reconnaissance or expose operational details about the build environment.

Intent-Code Divergence

Low

Confidence: 94% confidence
Finding: The document states `/root/` appears only in comments as an example, but the body of the report contains a specific `/root` path. This is a genuine information disclosure issue in documentation because it reveals environment details and undermines trust in the security review's accuracy.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The README explicitly documents a `fix-debug-leak.sh` script that modifies source code in other OpenClaw extensions, including paths under `/root/.openclaw/extensions/qqbot/`. For a Feishu audio-processing skill, cross-extension source modification is an unrelated and dangerous capability because it can tamper with other components, expand blast radius, and create a supply-chain style persistence vector if users run it without fully understanding the consequences.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The documented ability to patch other extensions is unjustified in the context of a Feishu voice interaction skill and indicates excessive scope. Even if framed as a repair function, this kind of lateral modification can be abused to alter behavior of unrelated agents, hide malicious changes, or interfere with audits and updates.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The document makes a contradictory privacy claim: it says the skill does not collect voice content or chat records, while elsewhere it admits that voice messages and text are sent to third-party services for synthesis or message delivery. Misleading security/privacy documentation can cause operators to deploy the skill under false assumptions, creating compliance, consent, and data-handling risk.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document claims the curl|sh supply-chain issue is fixed, but the replacement still downloads and executes a remote script from the network. Saving to a temporary file and checking only the shebang does not establish authenticity or integrity, so a compromised server, mirror, DNS path, or MITM could still deliver malicious code for execution.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The verification guidance is misleading because it treats the absence of a literal curl|sh pattern as proof that the risk is gone, while the documented flow still downloads and runs a remote shell script. This can create a false sense of security and cause reviewers or users to miss a still-present remote code execution supply-chain path.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The security guide for a Feishu audio skill instructs users to back up, modify, and restore an unrelated `/root/.openclaw/extensions/qqbot/` extension. In a security document, this cross-skill guidance is risky because it can cause operators to run privileged commands against the wrong component, expanding blast radius and potentially corrupting or exposing another extension's data or credentials.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The warning document explicitly states that a related script modifies other OpenClaw extensions under paths like `/root/.openclaw/extensions/qqbot/`, which is a clear boundary violation for a Feishu audio skill. Even though this file is only documentation, it credibly indicates the skill package contains or expects behavior outside its declared scope, creating risk of unauthorized code tampering, persistence, or cross-extension compromise.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document says the skill reads shared `openclaw.json` credentials and may access other channel/account secrets in multi-agent mode, which conflicts with the declared environment-variable credential model. This suggests the skill may reach into shared credential stores beyond its intended Feishu-only scope, increasing the chance of secret exposure or lateral access across agents.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Documenting a script that modifies other OpenClaw extensions is a real security concern because it normalizes behavior outside the skill's advertised scope. In this context, the skill handles credentials, logs, and media processing; adding the ability to rewrite unrelated extension code materially increases trust and integrity risk.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file is materially inconsistent with the declared skill: it documents a QQBot repair script under a Feishu audio skill. This kind of scope mismatch is dangerous because it can mislead operators into applying commands to an unrelated extension, increasing the chance of unintended modification of another component and masking supply-chain or packaging integrity issues.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script’s behavior is materially unrelated to the declared Feishu audio skill: it modifies a local QQBot/OpenClaw extension under /root/.openclaw/extensions/qqbot and deletes a cache file. This mismatch is dangerous because users reviewing or installing the skill for Feishu voice processing could unknowingly grant a package the ability to patch unrelated local components, expanding trust boundaries and creating supply-chain style risk.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This file contains hard-coded local source patching operations using sed against TypeScript files in another extension, plus cache deletion in the user’s home directory. That gives the skill an undocumented capability to alter local application code and persistence state, which can be abused to weaken logging, hide artifacts, break integrity, or introduce backdoors if the script is run with sufficient privileges.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The healthcheck script sources a local virtualenv activation script, which executes arbitrary shell code from the repository instead of performing a passive inspection. In an adversarial or tampered skill directory, running the healthcheck can trigger code execution before any checks occur, violating the principle of least surprise for a diagnostic tool.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script defaults model downloads to a non-official HuggingFace mirror by exporting HF_ENDPOINT=https://hf-mirror.com. This introduces a supply-chain trust shift without integrity verification or explicit opt-in, so a compromised mirror could serve tampered model artifacts or metadata.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer fetches a shell script from astral.sh and executes it locally. Even though it avoids a direct curl|sh pattern and performs a superficial shebang check, it still grants code execution to unauthenticated remote content at install time, which is a classic supply-chain risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README describes automatic speech recognition, AI processing, TTS synthesis, and transmission to Feishu and third-party network services, but it does not clearly warn users that voice content may be sent off-host or processed by external providers. In a voice-messaging skill, this creates a real privacy and compliance risk because users or deployers may unknowingly process sensitive audio and transcript data through external APIs.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that all debug information is automatically written to log files, but does not describe redaction, access control, or the risk that transcribed speech, model inputs, file paths, tokens, or other sensitive data may be captured. For a voice-processing skill handling credentials and user content, indiscriminate logging increases confidentiality risk and can create durable local data exposure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow sends recognized user speech to a large model and to Feishu APIs, yet the documentation does not clearly warn that user audio/transcripts leave the local system and may be processed by external services. In a voice interaction context, this can expose sensitive personal or business data without informed consent or administrator awareness.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation instructs users to delete a cache file but does not clearly warn that the action is destructive and may remove conversation/reference state. Even though the target is a cache path, users may run the command without understanding the effect, causing data loss or operational disruption.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: `get_command_version` passes a constructed string to `bash -c`, which reintroduces shell parsing and allows command injection if `version_cmd` can be influenced by untrusted input. Although intended for version checks, this helper creates an execution sink that can run arbitrary shell metacharacters and chained commands.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Sourcing the local .env file executes it as shell code, not merely reads key-value pairs. If the .env file is modified maliciously or contains shell metacharacters/functions, running the healthcheck can lead to arbitrary code execution and exposure of sensitive credentials in the current shell context.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal