ClawHub

项目管理助手(PM Assistant)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate project-management assistant, but it should be reviewed because it can process, retrieve, log, and archive sensitive project materials without clear scope or retention limits.

Install only in an environment where Feishu bot access, project repositories, knowledge bases, logs, and archives are explicitly scoped by project and role. Configure retention, deletion, redaction, attachment-type limits, and human approval rules before using it with real contracts, customer records, financial details, or confidential delivery materials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The template is entirely in Chinese and provides no indication that the output language is selected by the user or constrained by an explicit product requirement. This can cause unintended language-locking, reducing accessibility and potentially leading to misunderstandings or unusable outputs for users expecting another locale, especially in cross-team or cross-client project workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The workflow is triggered by essentially any Feishu-submitted task, text, or attachment, with no documented allowlist, project scoping, content-type restriction, or explicit user action boundary. In a project-management assistant that can parse attachments, retrieve historical materials, and generate structured outputs, this broad trigger surface increases the risk of unintended processing, prompt injection through attachments, and accidental handling of unrelated or sensitive content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow explicitly logs and archives user-submitted content, but the document does not describe retention limits, sensitive-data handling, or user notice/consent. Because this assistant processes contracts, deliverables, customer communications, and other potentially confidential project artifacts, silent retention creates privacy, compliance, and insider-exposure risk if logs or archives are later accessed improperly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow retrieves knowledge bases, templates, SOPs, and historical materials without documenting scope limits or informing users what repositories may be accessed. In this context, broad retrieval can expose unrelated project data or confidential historical records to the model and to users who may not expect that access path, especially when combined with permissive routing from general Feishu submissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal