ClawHub

Follow Builders Sidecar

Security checks across malware telemetry and agentic risk

Overview

This sidecar mostly does what it says, but it deserves review because it changes scheduled jobs, can post externally, and handles Feishu credentials with broader network behavior than the docs clearly scope.

Review before installing. Prefer OpenClaw account mode over direct_credentials. If direct credentials are used, protect ~/.follow-builders-sidecar/credentials.json with restrictive permissions, avoid putting secrets in shell history, and rotate them if exposed. Confirm you want the sidecar to disable the original cron, create an hourly replacement, and send digest content to OpenClaw or Feishu. Keep Feishu domains to official feishu/lark endpoints and avoid untrusted avatar URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script pulls prompt templates from a remote GitHub branch at runtime, which gives an external repository maintainer or anyone who compromises that source the ability to change downstream LLM behavior without a local code update. In a skill that is supposed to be a scheduling/delivery sidecar, this increases risk because prompt changes can silently alter generated content, instructions, or data handling beyond what users expect.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The avatar pipeline fetches remote avatar content from item-provided URLs and may upload it using a fallback Feishu account when the primary account lacks image-upload scope. That creates cross-account data movement and expands trust boundaries beyond the main delivery account, which can lead to unintended disclosure, policy bypass, or SSRF-style network access if untrusted input controls avatar sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly describes a takeover flow that disables the original cron, creates a new hourly cron, and writes new sidecar state, but it does not clearly warn users that local scheduling behavior will be modified. In an agent-skill context, operational changes to automation are security-relevant because they can silently alter message delivery behavior, suppress the original job, and persist changes outside the upstream skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents storing Feishu app credentials locally in direct-credentials mode, but it does not include an explicit warning that these are sensitive secrets requiring careful handling. In practice, users may paste long-lived app secrets into local files without understanding exposure risks from weak file permissions, backups, logs, or multi-user systems.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README documents takeover behavior that disables an existing cron job and writes persistent local configuration, state, and possibly credentials, but it does not prominently warn users about these side effects, storage locations, or the operational impact of altering scheduled tasks. In an agent-skill context, hidden or under-emphasized system changes increase the chance of unintended persistence and credential exposure, even if the functionality appears legitimate.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code loads prompt content from a remote source (`fetchText(`${promptsBase}/${filename}`)`) when a local override is not present, with no integrity verification, pinning, or clear disclosure. Because prompts directly shape downstream model behavior, a compromised remote source or unexpected prompt change could silently alter outputs, instructions, or data handling.

Credential Access

High
Category
Privilege Escalation
Content
- `~/.follow-builders-sidecar/config.json`
- `~/.follow-builders-sidecar/state.json`
- 仅在直连 Feishu 应用模式下写 `~/.follow-builders-sidecar/credentials.json`

原版 `~/.follow-builders/config.json` 只会在 takeover 时导入一次。
接管完成后,以 sidecar 配置为准。
Confidence
91% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
Feishu 卡片投递支持两种模式:

- `openclaw_account`:复用 OpenClaw 已配置的 Feishu account,再配一个目标群聊 `chatId`
- `direct_credentials`:把 sidecar 自己用的 Feishu `appId` / `appSecret` / `chatId` 写入本地 `~/.follow-builders-sidecar/credentials.json`

如果发送应用没有图片上传 scope,会自动回退到默认 Feishu account 上传头像。
Confidence
94% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal