Feishu Repair

Security checks across malware telemetry and agentic risk

Overview

This Feishu repair skill is disclosed as an automatic repair tool, but it can change OpenClaw Feishu settings, restart the gateway, use app credentials, and message all configured recipients without a separate confirmation step.

Install only if you administer the OpenClaw Feishu integration and are comfortable with automatic allowlist changes, a gateway restart, and test messages sent to all configured users and chats. Prefer modifying or wrapping it so diagnosis is read-only by default, repairs require an explicit flag, config changes are previewed, and Feishu test messages are limited to selected recipients.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises automatic diagnosis and repair but declares no permissions while describing behaviors that require shell access, environment access, and service control. This creates a transparency and governance gap: operators cannot accurately assess or constrain what the skill can do, and the hidden capability to restart services or access local configuration increases risk if the skill is invoked unexpectedly or modified later.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose understates materially sensitive behaviors: the skill reads local Feishu credentials/configuration and backups, restarts a system service, calls external Feishu APIs, and sends messages to all configured groups and users. In context, this is more dangerous because the skill is framed as a repair tool, so users may trigger it expecting diagnostics while it performs broad side effects, credential use, and mass outbound messaging.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: After making configuration changes, the script automatically sends live Feishu verification messages to every configured group and user. This creates unintended outbound communication, can leak operational metadata to real recipients, and performs side effects that are not clearly disclosed by the skill description or usage text.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The script reads stored Feishu app credentials, exchanges them for a tenant access token, and then uses that token to send messages externally. In a repair script this is sensitive because it turns local configuration access into authenticated outbound actions, increasing the blast radius if the script is run unexpectedly or modified.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script automatically restarts the openclaw-gateway service as part of repair flow, which is a disruptive state-changing action beyond passive diagnosis. Because this behavior is not clearly disclosed in the help text, users may trigger downtime or altered service behavior unintentionally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Automatically sending verification messages to every configured Feishu group and direct-message recipient can expose operational details, create privacy issues, and cause unintended mass messaging or spam-like behavior. The skill context makes this more dangerous because recipient lists are pulled from live configuration and backups, so the blast radius may include stale, sensitive, or broad organizational contacts without clear user awareness.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically modifies Feishu permission configuration based on values recovered from current or backup config files, without prior user approval. Silent configuration changes can restore stale or incorrect allowlists and may re-authorize users or groups unexpectedly.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The repair flow chains multiple state-changing actions—service restart and outbound verification messaging—without prior approval. This combination can cause operational disruption and visible external effects immediately after a simple diagnostic run.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script sends verification messages to all configured groups and users without clear prior warning in the usage/help text. In this context, a user invoking a diagnostic tool would not reasonably expect mass outbound messaging, making this an unsafe surprise side effect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal