ClawHub

Feishu Group

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it bulk-syncs a Feishu organization directory into persistent agent context and understates the privacy risk.

Install only if you are authorized to grant Feishu contact-read access and are comfortable storing employee names and open_ids in USER.md. Treat USER.md as sensitive, do not commit or share the generated table, review any cron setup, and prefer a narrower on-demand lookup or limited contact export where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs operators to run a bundled sync script that reads configuration, calls the Feishu API, and writes contact data into USER.md, yet the skill declares no permissions. This creates hidden capability expansion: adopters may enable file and network access without realizing the skill materially handles external data and local persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description presents the skill as chat-behavior guidance, but the body also instructs users to authenticate to Feishu, pull an organization contact directory, and persist identifiers locally. That mismatch can bypass operator scrutiny and lead to deployment of broader data-access behavior than the title and summary suggest.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill expands from behavioral guidance into operational instructions for syncing and storing a user directory in workspace files. Persisting organization names and identifiers in prompt-injected files increases the blast radius of any prompt leak, workspace exposure, or overbroad agent access.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script pulls the full Feishu directory and writes names plus open_id values into a local markdown file, creating a bulk export of internal contact data. In the context of a skill meant to help an agent participate in group chats, this expands data collection beyond the minimum necessary and increases privacy and data-exposure risk if USER.md is shared, committed, or read by other tools.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Bulk retrieval and persistence of the entire user directory increases the blast radius of any local compromise and exposes more personal/organizational data than necessary. Because this skill is for chat participation rather than directory synchronization, the surrounding context makes the overcollection more concerning, not less.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal