OpenClaw Feishu Group Chat

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it syncs a Feishu organization contact list into a persistent prompt-visible USER.md file, so users should review the privacy and scope carefully before installing.

Install only if you are comfortable granting a Feishu app directory-read access and storing names/open_ids in USER.md. Use a least-privilege Feishu app, protect both openclaw.json and USER.md, exclude USER.md from source control if it contains contact mappings, and avoid the weekly cron sync unless automatic refresh is truly needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs operators to run a Python sync script that reads local config, calls Feishu APIs, and writes results into USER.md, but the skill declares no permissions or capability boundaries. That mismatch can cause an agent platform or reviewer to underestimate that the skill enables file read/write and network-backed data collection, increasing the chance of unintended data access and unsafe deployment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose is chat behavior guidance, but the content also directs collection of the full Feishu contact directory using app credentials and persistence of the mapping into USER.md. This is security-relevant because users may install the skill expecting conversational behavior changes, not directory enumeration and local storage of identity data, which can materially expand privacy and access risk.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The script retrieves the full directory for department_id=0, which appears broader than the stated goal of helping an agent behave properly in group chats. In this skill context, collecting the entire tenant user directory increases privacy exposure and data minimization risk because a group-chat integration may only need identifiers for participants actually encountered, not all users.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script exports all discovered user names and open_id values into a local markdown file, creating a durable, easy-to-copy directory dump. In the context of a group-chat skill, this is more dangerous because USER.md may be broadly readable within a workspace, committed to source control, or consumed by downstream agents, causing unnecessary disclosure of organizational identity data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill tells users to store an open_id-to-name directory in USER.md, which is injected into the system prompt, without a prominent upfront warning about privacy, retention, visibility, and who or what can read that file. Even though it limits fields to names and open_ids, this still creates a persistent identity directory in prompt-accessible storage and can expose employee identity mappings more broadly than intended.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal