ClawHub
Back to skill

Security audit

百科虾

Security checks across malware telemetry and agentic risk

Overview

This Feishu company Q&A skill is mostly purpose-aligned, but it can send messages and upload arbitrary local file paths to Feishu, so users should review it carefully before installing.

Install only in an isolated agent workspace with Feishu credentials scoped to this bot and wiki. Review wiki_list.json, restrict who can run sync and send-message.js, and treat cached content as internal company data. The main issue to fix before broad deployment is to restrict MEDIA/IMG uploads to approved cache directories and require the intended Feishu account explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes shell execution and environment/credential-dependent behavior, but no explicit permissions are declared. That creates a transparency and least-privilege gap: users or host systems may treat the skill as lower risk than it really is, even though it can run commands and access sensitive runtime configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is a constrained company Q&A skill, but the documented behavior includes syncing remote Feishu content, reading local credentials, and proactively sending messages with mentions and media. This mismatch is dangerous because it obscures the true trust boundary and grants operators a materially different capability set than the manifest suggests.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
A company knowledge Q&A skill including message-sending and attachment/image delivery broadens the attack surface beyond passive answering. If abused, it could be used to send unsolicited content, mentions, or files to users under the cover of a benign internal assistant.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Administrator-triggered synchronization against external Feishu APIs is a materially privileged capability not obvious from the end-user Q&A description. Even if intended for maintenance, it introduces external connectivity, credential use, and local persistence that can expose sensitive company content if misused or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads Feishu credentials from the user’s home directory and can select accounts via an environment variable, broadening the trust boundary beyond the specific skill. If this script is invoked in an untrusted context, it may use whichever configured account is available, enabling unintended message sending under another tenant or bot identity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The MEDIA/IMG handling accepts attacker-controlled paths, including absolute paths, then reads local files and uploads them to Feishu. This creates a direct local file exfiltration primitive: any process or prompt that can influence message content can cause sensitive files to be transmitted externally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The sync logic recursively reads not only the configured wiki pages but also linked wiki pages, attachments, images, and board references, then persists them into the local workspace cache. For a company Q&A skill, this materially expands data collection and retention beyond the minimally necessary text knowledge base, increasing the chance of over-collection of sensitive internal content and local data exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script loads Feishu app credentials directly from files in the user's home directory and uses them to mint access tokens without any interactive disclosure or scope check in this script. Accessing sensitive local credentials is security-relevant, and in a skill whose stated purpose is answering company-policy questions, this creates a hidden trust boundary crossing from local secrets to remote data access.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The documentation notes credential storage in openclaw.json but does not clearly explain the security implications of using those credentials for Feishu API reads and message sends. This can lead to unsafe deployment, poor secret handling, or underestimation of the blast radius if the workspace or config is exposed.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script transmits arbitrary message content and uploaded images to an external Feishu API without any explicit consent, confirmation, or policy gate. In a skill intended for internal knowledge answers, this increases the risk that sensitive content, local files, or unintended mentions are sent outside the immediate execution context without user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently consumes locally stored OpenClaw/Feishu credentials from the operator's home directory, which is sensitive credential access not evident from the high-level skill description. Even if intended for legitimate sync, undisclosed use of local secrets increases the risk of surprise privilege use and unauthorized data retrieval if the script is reused or misconfigured.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script downloads remote media and writes files into workspace cache directories without any explicit user-facing warning, review step, or content-type/size guard. This can unexpectedly persist internal documents and media on disk, enlarging the local attack surface and increasing risk from sensitive file retention.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal