ClawHub

Feishu Contacts Sync

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it handles Feishu app credentials and writes a full contacts lookup into USER.md, including optional scheduled updates to agent context.

Install only if you are comfortable letting this skill read Feishu app credentials and place Feishu directory names and open_ids into USER.md. Use a least-privileged read-only Feishu app, restrict file permissions on openclaw.json and USER.md, review generated changes before restarting the gateway, and avoid the cron job unless you explicitly want recurring automated updates to agent context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs reading credentials from an OpenClaw config file, calling the Feishu contacts API, and writing results into USER.md, yet it declares no permissions. That mismatch weakens security review and user consent because the skill’s actual capabilities include file read, file write, and network access against sensitive configuration and identity data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends a cron job that will periodically rewrite USER.md without a strong user-facing warning about continuous modification of a prompt-injected file. Because USER.md is incorporated into the agent context, unattended updates can silently change agent behavior, introduce stale or incorrect identity mappings, and create an integrity/privacy risk if the contacts set changes unexpectedly.

Credential Access

High
Category
Privilege Escalation
Content
print(f"Available accounts: {list(cfg.get('channels', {}).get('feishu', {}).get('accounts', {}).keys())}")
        sys.exit(1)

    # 2. Get tenant access token
    req = urllib.request.Request(
        "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal",
        data=json.dumps({
Confidence
83% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal