ClawHub

Feishu Doc Reader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only Feishu/Lark document reader, but it can pull large amounts of workspace content if users enable wiki-space or recursive modes.

Install only if you are comfortable giving a local script read-only access through your Feishu app. Use a dedicated low-privilege Feishu app, share only approved documents or spaces with it, protect the local credential file or use environment variables, and avoid recursive wiki reads unless you intend to bring that full content into the agent session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents capabilities to read environment/config files and make outbound network requests to Feishu, but it does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: users or a hosting platform may underestimate what the skill can access, especially since it handles app credentials and reads arbitrary Feishu documents reachable by those credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as a document reader, but it also supports listing and reading an entire Wiki space, which materially expands its data-access scope from single-document retrieval to workspace-wide enumeration. In an agent context, this increases the risk of over-collection and unintended bulk access to sensitive internal knowledge base content beyond what a user may have intended to authorize.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The recursive Wiki traversal can walk child nodes and extract docx, sheet, and bitable contents across a knowledge space, enabling broad data harvesting from a single invocation. Even without malicious intent, this creates a clear excessive-capability issue for a skill whose stated purpose is reading documents, especially when used by autonomous agents that may not adequately communicate scope to the end user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Bulk extraction of Wiki space contents occurs without any prominent runtime warning, approval checkpoint, or scope preview, making it easy for users or agents to retrieve far more data than expected. In practice, this can turn a narrow document-read action into mass collection of documents, spreadsheet data, and bitable records, raising confidentiality and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal