Feishu Bot Manager CN

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with Feishu bot setup, but it can persist bot secrets, change global OpenClaw routing behavior, and restart the Gateway with insufficient runtime guardrails.

Install only if you are comfortable with it editing your main OpenClaw config, storing the Feishu App Secret in plaintext config and backup files, changing session.dmScope, and restarting Gateway. Use a dedicated Feishu bot secret, review the generated config before use, restrict permissions on ~/.openclaw, and prefer manual restart/confirmation rather than unattended CLI execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill's stated purpose understates materially sensitive behaviors: changing a global session setting, restarting the gateway, and storing Feishu App Secret in plaintext configuration. This is dangerous because operators may approve a seemingly routine binding task without realizing it can alter global runtime behavior, cause service disruption, and persist credentials in an insecure way.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill’s declared purpose is Feishu bot/account binding management, but it also modifies a global OpenClaw session setting and restarts the Gateway. Those side effects affect the whole runtime, not just the target bot being added, so a user invoking a narrow configuration task may unknowingly trigger broader operational changes and service disruption.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The code imports child_process and later executes OpenClaw CLI commands, including a Gateway restart, which exceeds the minimum privileges needed to edit a config file. Even though the command strings are hardcoded and not directly shell-injected from user input, subprocess execution broadens the attack surface and can cause unexpected availability or environment changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to paste App ID and App Secret directly into chat without warning that these are sensitive credentials. In an agent/chat environment, this increases the risk of accidental exposure through logs, transcripts, prompt history, or downstream tooling, especially since the skill also indicates the secret may be written to configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal