ClawHub

Feishu Bot Creator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it creates Feishu apps and handles app secrets in ways users should review carefully before installing.

Install only if you intentionally want this skill to create and configure Feishu applications in your tenant. Verify FEISHU_API_BASE is the official Feishu endpoint, use the smallest permissions needed, avoid running it in logged terminals or CI, and protect or relocate the generated config file because it contains app credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tainted flow: 'url' from os.environ.get (line 112, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"app_secret": self.app_secret
        }
        
        response = requests.post(url, json=payload)
        data = response.json()
        
        if data.get("code") != 0:
Confidence
94% confidence
Finding
response = requests.post(url, json=payload)

Tainted flow: 'url' from os.environ.get (line 112, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"category": "效率办公"
        }
        
        response = requests.post(url, json=payload, headers=headers)
        data = response.json()
        
        if data.get("code") != 0:
Confidence
92% confidence
Finding
response = requests.post(url, json=payload, headers=headers)

Tainted flow: 'url' from os.environ.get (line 112, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"permission_point_codes": permissions
        }
        
        response = requests.post(url, json=payload, headers=headers)
        data = response.json()
        
        if data.get("code") != 0:
Confidence
91% confidence
Finding
response = requests.post(url, json=payload, headers=headers)

Tainted flow: 'url' from os.environ.get (line 112, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"webhook": webhook_url if webhook_url else None
        }
        
        response = requests.post(url, json=payload, headers=headers)
        data = response.json()
        
        if data.get("code") != 0:
Confidence
91% confidence
Finding
response = requests.post(url, json=payload, headers=headers)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates capabilities to read environment variables, write files, and make network requests, yet it does not declare any explicit permissions or constraints. In a skill that creates Feishu bots and handles app credentials, this increases risk because secrets such as FEISHU_APP_SECRET may be accessed and written to disk or transmitted over the network without a clear permission boundary or user awareness.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script's stated purpose is bot creation/configuration, but it also persists sensitive bot and application configuration to disk. Saving operational secrets and identifiers expands the attack surface because any local user, backup system, or malware with file access can recover reusable credentials.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script writes the newly generated app_secret into the output configuration file. That secret is a long-lived credential, so persisting it in plaintext creates a straightforward local secret exposure path and exceeds the narrow operational need of simply creating a bot.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script saves newly created credentials to a local file without warning the user that sensitive secrets are being written in plaintext. This increases the chance of accidental disclosure through source control, backups, shared home directories, or weak filesystem permissions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Printing the generated app secret to stdout exposes it to terminal history capture, shell logging, CI/CD logs, process supervisors, and screen recording tools. Secrets printed to console are often copied into tickets or chat unintentionally, making compromise much more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal