ClawHub
Back to skill

Security audit

feishu-calendar

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu calendar tool, but it needs review because some bundled scripts can create recurring public events, change sharing, or delete calendar entries without strong confirmation or scoping.

Install only if you are comfortable granting this skill Feishu calendar read/write/delete and sharing-management authority. Use least-privilege Feishu app credentials and a dedicated test calendar first, avoid running cleanup.js, setup_routine.js, or sync_routine.js without reviewing the target calendar and event list, and require explicit confirmation before any create, delete, recurring-event, attendee notification, or member-permission change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module explicitly loads credentials from a project-level .env file and immediately uses them to instantiate an API client, giving this skill access to Feishu app secrets and calendar data. In an agent/skill context with no stated justification or scope controls, this expands privilege unnecessarily and creates a path for secret use and downstream data access beyond what a calendar helper should implicitly assume.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
If no matching calendar is found, the code silently selects the first available calendar, which may belong to a different user, team, or purpose than intended. In combination with later read/write operations and fallback behavior, this can cause unauthorized access to or modification of unrelated calendars rather than merely returning no result.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script loads Feishu application credentials and a master identifier from a shared .env file in order to perform a calendar search, but the file provides no user consent flow, access control, or clear business justification for using privileged secrets. In an agent-skill context, undisclosed secret usage to access organizational calendar data creates unnecessary credential exposure and can enable unauthorized discovery of internal resources.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs real calendar enumeration, deletion, and event creation against a live Feishu/Lark account with no in-file justification, dry-run mode, scoping guardrails, or user approval. In an agent-skill context, broad remote modification capability is dangerous because it can alter organizational data beyond what a user reasonably expects from an unspecified setup routine.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases "Mark this task" and especially "Remind me to..." are broad enough to match ordinary conversational requests, which can cause the skill to create calendar events when the user did not intend to invoke an action-taking workflow. In this skill's context, the trigger directly leads to event creation with attendees, so ambiguous activation increases the risk of unintended calendar modifications.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup section mentions FEISHU_APP_ID and FEISHU_APP_SECRET but does not frame them as sensitive credentials or warn against exposing them in logs, prompts, screenshots, or source control. Because this skill interfaces with calendar APIs, mishandling these secrets could allow unauthorized access to calendar data and operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The task-marking workflow instructs the agent to execute create.js to generate calendar events on the user's behalf, but it does not warn that this is a state-changing action affecting real calendar data. In context, silent or poorly signposted writes to a user's calendar can lead to unauthorized event creation, attendee notifications, and trust or workflow disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The shared-calendar setup command can create a new calendar and assign member roles, yet the documentation does not warn that it changes access permissions for other users. In this context, permission-modifying actions are more dangerous than simple reads because a mistaken or ambiguous invocation could grant inappropriate access or alter collaboration boundaries across a project.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script performs irreversible deletion of calendar events without any explicit confirmation, dry-run mode, or secondary validation of the target calendar and event set. In an agent or automation context, this makes accidental or unintended destructive actions much more dangerous, especially because the script can fall back to the primary calendar and then delete matching events there.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function performs calendar event creation directly from supplied input with no confirmation, authorization check, or user-visible warning. In an agent setting, that means untrusted or mistaken prompts can trigger persistent external side effects, including writing to the wrong calendar because of the code's fallback logic.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Sensitive environment credentials are consumed silently, with no disclosure to the user that the skill will access Feishu app secrets. In a skill environment, hidden credential use is risky because users and operators cannot evaluate whether the skill’s behavior matches its stated purpose, and secret access may be abused or expanded later.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends a personal-name search query to Feishu’s calendar API without any notice, consent, or validation of the target. Even if the API call is legitimate, silently transmitting identifiable employee information to enumerate calendars can expose internal directory/calendar metadata and violates expectations of transparent data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code deletes events automatically based only on summary substring matching ('Test' or 'Invite') and does so without confirmation, preview, or rollback. This can remove legitimate events that happen to match those strings, especially after the fallback to the primary calendar, making unintended data loss likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script creates recurring calendar events through network API calls without an upfront warning that it will modify remote account data. Because it defaults or falls back to the primary calendar, it can create persistent recurring events in a user's main calendar unexpectedly, causing operational noise or confusion.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes raw calendar event objects to ../../memory/calendar_events.json without any notice, consent, minimization, or access control. Calendar data commonly contains sensitive titles, times, locations, and attendee information, so persisting it to disk can create unintended data exposure and retention risks if other components or users can access that path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script rewrites HEARTBEAT.md using calendar-derived content, which can silently alter a user-facing file and leak private schedule details into a broader, more visible artifact. This is especially risky because event summaries are inserted directly, so confidential meeting names or sensitive text may be exposed to anyone who reads the file or to downstream tooling that consumes it.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script creates recurring calendar events through an external manager with no interactive confirmation, authorization check, or dry-run mode. If run in the wrong context or with access to a shared calendar, it can silently modify a user's schedule and expose task details because the events are created as public.

VirusTotal

No VirusTotal findings

View on VirusTotal