Back to skill

Security audit

feishu-memory-recall

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it gives an agent broad access to Feishu group and DM message content with weak built-in scoping and persistent local token/log storage.

Install only if you intentionally want a Feishu app/agent to search and summarize messages across multiple groups and recall DMs for a specified user. Use a minimally scoped Feishu app, avoid highly privileged credentials, review which groups are in memory/active_groups.json after sync-groups, protect the workspace memory files, and do not run this where cross-chat privacy boundaries must be enforced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill reads local OpenClaw session metadata from a user home directory to discover Feishu groups, expanding its visibility beyond explicitly configured scope. That creates an unnecessary local-information access path and can silently enumerate chats the operator did not intend to include in this memory tool.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The recall feature does more than cross-group memory: it attempts to locate and search a direct-message chat for the specified user and returns that user's DM content. Accessing DMs materially increases privacy sensitivity because users may reasonably expect private conversations not to be swept into a cross-group recall feature.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The commands advertise searching, recalling, and digesting messages across all groups and DMs, but provide no warning about privacy boundaries, consent, or data minimization. In context, this broad cross-group aggregation can expose private conversations, sensitive business content, or messages from one context into another without participants' expectations or authorization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents writing events to rolling and permanent local memory files without warning that the data will be retained and potentially reused later. Persistent storage of cross-session events increases the chance of sensitive information being collected indefinitely, resurfacing out of context, or being accessed by other local users or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recall and search commands aggregate and print message contents across all tracked groups, exposing conversation data without any user-facing notice, consent flow, or minimization. In practice this enables broad retrieval of personal or confidential chat content by user ID or keyword.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The code loads app credentials from .env, exchanges them for a Feishu tenant token, and persists that token to disk in the memory directory. While common operationally, doing this without disclosure or file-permission hardening creates risk of credential misuse or token theft by other local processes/users.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The event logger writes arbitrary user-provided text directly into shared workspace and memory log files. This can unintentionally persist sensitive information or permit content injection into files that other tools or agents may later consume as trusted context.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Group synchronization reads local session metadata and then updates persistent tracked-group state automatically. Without explicit notice and confirmation, this broadens future data collection scope in a way the user may not realize.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented features are designed to collect and summarize user messages across all groups and DMs, which is a broad surveillance-style capability rather than a narrowly scoped assistant action. Because the skill enables cross-context recall and aggregation, it can be exploited to profile users, leak sensitive discussions, or bypass social and organizational separation between chats.

Ssd 3

Medium
Confidence
91% confidence
Finding
Persistent event logging of cross-session information creates a durable memory layer that can accumulate sensitive operational or personal details over time. Even if each entry seems harmless, the combined historical log can reveal patterns, incidents, identities, and confidential activity far beyond the original context of the messages.

Ssd 3

Medium
Confidence
95% confidence
Finding
The how-it-works section describes automatic discovery of all connected groups from local session state and retrieval of messages from all tracked groups. That combination materially increases risk because it removes intentional scoping and makes broad collection easy by default, enabling unauthorized enumeration and centralized access to conversations across unrelated contexts.

Ssd 3

High
Confidence
96% confidence
Finding
The skill is explicitly designed for cross-group memory recall, search, and event sharing, which semantically enables centralized collection of conversations from multiple chats. In this context, the broad-surveillance capability is the core dangerous behavior, not an incidental side effect.

Ssd 3

High
Confidence
98% confidence
Finding
The recall command is purpose-built to retrieve a specific person's messages across all tracked groups and also DMs, effectively supporting targeted conversation surveillance. Because it indexes by user ID and returns message text, it can be used to profile or monitor an individual across contexts.

Ssd 3

High
Confidence
97% confidence
Finding
The search command performs keyword-based harvesting across all tracked groups and returns message excerpts. This is a classic bulk-content discovery mechanism that can be used to locate secrets, sensitive topics, or personal information at scale.

Ssd 3

Medium
Confidence
88% confidence
Finding
The digest command summarizes recent conversations across groups and includes previews of message content. Even though it is framed as a convenience feature, it still republishes multi-group activity into a consolidated feed, increasing privacy and confidentiality exposure.

Ssd 3

Medium
Confidence
84% confidence
Finding
The event logging feature persists arbitrary supplied text into RECENT_EVENTS.md and daily memory logs, creating a durable shared-memory channel. This can store sensitive or manipulative content that later influences other agents or exposes information to users with workspace access.

VirusTotal

No VirusTotal findings

View on VirusTotal