ClawHub

dingtalk-feishu-sync-schedule

Security checks across malware telemetry and agentic risk

Overview

This is a real DingTalk-to-Feishu calendar sync skill, but it can automatically delete Feishu calendar events more broadly than it tells users.

Install only if you are comfortable granting calendar API access and storing Feishu/DingTalk credentials locally. Before enabling the cron job, review or change the deletion logic so it deletes only events clearly created by this tool, reduce permissions to the minimum needed, protect the config files, and assume local logs may include calendar details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists sensitive Feishu secrets and tokens (`app_secret`, `access_token`, `refresh_token`) into a local config file without warning the user, permission hardening, or any protection mechanism. On multi-user systems or in environments with weak home-directory permissions, these credentials could be read by other local users or unintentionally exposed via backups, logs, or support bundles, enabling account/API access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically sends a message through an external CLI to a user-specific Feishu target without any user confirmation, opt-in flow, or visible disclosure beyond code comments. In an agent skill context, silent outbound messaging can leak operational data from logs and create unexpected external side effects, especially if the script is triggered automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script deletes calendar events in Feishu and recreates them automatically without an explicit confirmation step, dry-run mode, or stronger scoping safeguards. In an automation skill that modifies user calendar data, this can cause unintended data loss or disruption if configuration is wrong, matching logic is too broad, or the script is run unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal