ClawHub

飞书日历管理工具

Security checks across malware telemetry and agentic risk

Overview

This Feishu calendar skill is instruction-only and aligned with calendar management, but it recommends broad attendee edit authority and documents live calendar-changing actions without much control guidance.

Install only if you want an agent to manage Feishu calendar data. Before allowing writes, confirm the exact time, timezone, attendees, RSVP action, and whether invitees should really be able to edit the event or manage participants; use lower attendee permissions when shared editing is not intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents multiple state-changing operations such as creating meetings, modifying event times, replying to invitations, and deleting attendees, but it does not include an explicit warning that these actions will change live calendar data or should be confirmed before execution. In a calendar-management context, this increases the risk of unintended writes, accidental invitations, schedule changes, or RSVP updates affecting real users and shared organizational calendars.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill hard-codes Asia/Shanghai as the timezone without providing user choice, opt-in, or clear handling for users in other locales. In calendar workflows, timezone assumptions can cause meetings to be created or modified at the wrong real-world time, leading to missed meetings, incorrect invitations, and organization-wide scheduling errors.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal