ClawHub

Feishu All In One

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Feishu messaging purpose, but it can forward full card interaction data to a configurable OpenClaw Gateway with limited disclosure and scoping.

Review this skill before installing. Use it only if you intend to let the agent send Feishu messages, upload selected local files, and run a card callback process. Protect the Feishu App Secret, keep ~/.openclaw/openclaw.json private, disable gateway forwarding with gateway.enabled=false or remove the gateway token unless you want raw callback data forwarded, and keep dependencies reviewed and updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The callback handler forwards Feishu card callback content, including operator, action, context, and raw event data, to an external OpenClaw Gateway. This expands the data flow beyond a local card-handling function and can expose user interaction metadata or submitted form contents to another service without strong scoping, minimization, or explicit disclosure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This callback server reads a broader local OpenClaw configuration file and associated secrets, including gateway settings, even though the core task is handling Feishu card callbacks. Expanding secret/config access beyond the minimum necessary increases the blast radius if the script is compromised or repurposed, and violates least-privilege expectations for an interaction handler.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description presents Feishu message/card handling, but the implementation forwards callback payloads to an OpenClaw Gateway service. That creates an undisclosed secondary data flow to another service, which can expose user interaction metadata and any embedded callback content outside the expected Feishu-only processing boundary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The handler sends operator identifiers, context, and raw callback data to the gateway, which may include sensitive user interaction details and internal metadata. Forwarding the full raw event materially increases privacy and data exposure risk, especially because the gateway URL and token are externally configurable and the transfer is not constrained to a narrowly scoped subset of fields.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place the App Secret directly into a persistent local config file and export it in shell environment variables, but provides no warning about secret sensitivity, file permissions, shell history, or safer secret-management practices. This can lead to accidental credential disclosure through dotfile backups, screenshots, shared machines, process inspection, logs, or source control commits, enabling unauthorized use of the Feishu app.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README tells users to start a callback server in the background without any guidance on binding scope, authentication/verification, firewalling, TLS, or exposure risks. A network-accessible callback endpoint that is deployed casually from documentation can be left exposed or misconfigured, which may allow unauthorized requests, event spoofing, or broader compromise depending on the server implementation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation encourages proactive messaging, file handling, and callback-server use without warning that user identifiers, message content, uploaded files, and callback metadata may be stored, forwarded, or exposed through integrations. In a communications skill, missing privacy and data-handling disclosures materially increases the chance of unsafe deployment and accidental over-collection of user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script is designed to collect callback data and forward it to a Gateway without any user-facing notice or consent mechanism. Because card callbacks may include user identifiers, actions, and form values, undisclosed forwarding creates a privacy and data-governance risk, especially in enterprise messaging environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Callback data containing user interaction details is transmitted to the gateway without a clear user-facing disclosure or consent mechanism. In the context of a Feishu skill, users reasonably expect in-app handling, so silent onward transfer of interaction data to another service is a meaningful privacy and trust issue.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script uploads arbitrary local files to Feishu and sends them to a chat without any explicit user-facing warning, confirmation step, or guardrails around sensitive paths. In an agent-skill context, this increases the risk of accidental data exfiltration because the tool can transmit confidential local workspace files or secrets to an external service as a normal operation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"test": "echo \"Error: no test specified\" && exit 1"
  },
  "dependencies": {
    "@larksuiteoapi/node-sdk": "^1.59.0",
    "axios": "^1.6.0"
  }
}
Confidence
83% confidence
Finding
"@larksuiteoapi/node-sdk": "^1.59.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@larksuiteoapi/node-sdk": "^1.59.0",
    "axios": "^1.6.0"
  }
}
Confidence
97% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.6.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal