ClawHub

feishu-bitable-builder

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Feishu Bitable builder skill with disclosed business-data automation capabilities that fit its purpose.

Install this only if you want an agent to help create or configure Feishu Bitable resources. Before enabling automations, review permissions, delete actions, AI inputs, outbound HTTP/webhook endpoints, and exactly which business or personal fields may be sent outside Feishu; reduce robot edit access when setup or maintenance is complete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly supports HTTP requests and webhook-based real-time synchronization, which can transmit workspace data to external systems, but it does not provide a user-facing warning or require confirmation before enabling such integrations. In a data-management skill that may handle CRM, inventory, project, or other operational records, this creates a meaningful risk of unintended data exfiltration, privacy violations, or policy non-compliance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly recommends outbound HTTP requests to synchronize record data such as customer names, order amounts, and timestamps to external systems, but it does not include any warning about privacy, data classification, consent, destination trust, or secret handling. In a skill focused on building production business workflows, this omission can lead users to exfiltrate sensitive business or personal data to third-party endpoints without realizing the security and compliance implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file documents delete operations for records, tasks, and calendar items as standard workflow actions without warning that these actions may be irreversible or have broad side effects if conditions are misconfigured. In an automation context, a mistaken trigger or filter can cause large-scale unintended deletion, making this materially risky even though it is presented as normal product guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal