ClawHub

Feishu Cron Announce

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill clearly sets up scheduled OpenClaw notifications to Feishu, with the main user considerations being recurring execution and outbound message delivery.

Install this only if you intend to create recurring OpenClaw jobs whose results are sent to Feishu. Before enabling a job, confirm the cron schedule, timezone, prompt, account, and Feishu open_id, and avoid prompts that could send secrets, personal data, or internal-only information to the wrong recipient.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly configures scheduled delivery of AI-generated monitoring results to Feishu, an external messaging channel, but does not warn users that monitored content may include sensitive operational, personal, or business data. This omission increases the risk of unintended data disclosure because users may schedule tasks without understanding that results are being automatically transmitted outside the immediate execution environment.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The skill hard-codes `Asia/Shanghai` as a required timezone in the command template and 'success key', which can cause jobs to run at unintended times for users in other regions. While this is not a direct security exploit primitive, it can create operational and compliance issues if scheduled monitoring or notifications are triggered outside expected windows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal