ClawHub
Back to skill

Security audit

feishu-broadcast

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to broadcast Feishu messages, but it has under-disclosed tenant-wide authority and a real shell-command injection risk.

Install only if you are an authorized Feishu tenant administrator and you are comfortable with a tool that can message every user. Before running it, harden or review the shell command construction, avoid untrusted --title or --image input, use an isolated environment with explicit Feishu credentials, inspect the dependent feishu-post and feishu-sticker skills, and prefer dry-run or a modified scoped-recipient version first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill invokes shell commands via child_process.exec using interpolated values derived from user data and CLI input, which creates unnecessary subprocess execution risk in addition to command-injection exposure. Even aside from injection, spawning secondary skills through the shell broadens the attack surface and makes security controls, argument handling, and auditing weaker than direct API calls.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code retrieves all users and iterates over each one to send content, enabling organization-wide messaging with no apparent scoping, allowlist, or role check. In a skill context, this expansive capability is dangerous because misuse, compromise, or operator error can turn a single invocation into mass spam, phishing, or internal data dissemination.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code proactively searches multiple parent directories for a .env file and loads Feishu credentials without any declared purpose or user consent boundary. In an agent skill context, broad secret discovery materially increases the risk of unauthorized credential use and lateral access to unrelated workspace secrets.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This code performs external network authentication to Feishu using locally sourced app credentials, establishing outbound communication and secret transmission. In a skill with no stated purpose metadata, unexplained external access is dangerous because it can exfiltrate credentials or enable unauthorized actions against third-party services.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The getAllUsers function enumerates the full Feishu directory from department 0 with pagination, providing broad access to organizational user data. Directory-wide enumeration is highly sensitive in an agent skill because it enables reconnaissance, targeting, and collection of employee metadata beyond least privilege.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The sendPost function can deliver arbitrary Feishu messages to user identifiers, creating a direct action capability that could be abused for impersonation, phishing, spam, or data leakage. In the absence of declared purpose, recipient restrictions, or approval controls, this is a meaningful abuse path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is explicitly designed to send messages and media to all users in a Feishu tenant, but the documentation does not prominently warn about the tenant-wide blast radius, consent requirements, or misuse risks. In an agent/tooling context, a broad broadcast capability can enable accidental spam, social engineering, disruption, or unauthorized mass messaging if invoked without strict operator awareness and authorization checks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill proceeds from fetching the user list directly into a full broadcast workflow without a hard confirmation step that summarizes recipient count and content. This increases the likelihood of accidental mass messaging and makes social-engineering or operator mistakes materially more damaging in a tool already capable of organization-wide distribution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill reads Feishu app credentials from environment variables without any visible disclosure, policy gate, or consent mechanism. In an agent environment, silent secret use can violate user expectations and obscures the fact that the skill is operating with privileged external-service credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tenant access token is written to a shared local cache file without any evident permission hardening, encryption, or user disclosure. Cached bearer tokens can be stolen by other local processes or users and reused to access Feishu APIs until expiry.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends recipient identifiers and message content to Feishu over the network without any visible disclosure or consent boundary. In an agent skill, opaque outbound transmission of user-supplied content is risky because it can leak sensitive information or be used for unauthorized messaging.

VirusTotal

No VirusTotal findings

View on VirusTotal