Feishu Group Company

Security checks across malware telemetry and agentic risk

Overview

This skill transparently edits a local OpenClaw Feishu routing config for the company-group behavior it describes.

Install only if you want this Feishu group routing pattern. Run the script with --dry-run first, use --backup before writing, verify the group and account IDs, and reload Gateway after applying the change.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the user to run a local script that reads and writes `~/.openclaw/openclaw.json`, but the skill metadata shown here does not declare those capabilities or warn about the configuration-changing behavior. Undeclared file modification increases the chance of users or automation executing the skill without understanding that persistent local settings will be altered, which can lead to misconfiguration or unsafe trust in the skill.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quick-start section tells the user to run a patching script against `~/.openclaw/openclaw.json` without an explicit caution that this will persistently modify live configuration data. In a configuration-management skill, that omission is especially risky because users may execute the command in production-like environments and unintentionally break routing, bot behavior, or account bindings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal