ClawHub

Feishu Bot Full Setup

Security checks across malware telemetry and agentic risk

Overview

The skill does create a Feishu bot as advertised, but it requests very broad Feishu permissions, handles app secrets in ordinary messages, and can modify the local runtime during setup.

Review before installing or running. Use an isolated machine or container, preinstall trusted dependencies yourself where possible, reduce the Feishu permission list to the minimum needed, confirm publication impact before running create, treat app_secret like a password, rotate it if exposed in chat/logs, and run cleanup after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
raise FileNotFoundError(f"Chromium 不存在: {chrome_path}")

    os.makedirs(PROFILE_DIR, exist_ok=True)
    proc = subprocess.Popen(
        [
            chrome_path,
            "--headless=new",
Confidence
88% confidence
Finding
proc = subprocess.Popen( [ chrome_path, "--headless=new", f"--remote-debugging-port={port}", f"--user-data-dir={PROFILE_DIR}", "

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with tempfile.NamedTemporaryFile(suffix=".py", delete=False) as f:
        urllib.request.urlretrieve("https://bootstrap.pypa.io/get-pip.py", f.name)
        subprocess.check_call(
            [sys.executable, f.name, "--quiet", "--break-system-packages"]
        )
Confidence
98% confidence
Finding
subprocess.check_call( [sys.executable, f.name, "--quiet", "--break-system-packages"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except (FileNotFoundError, subprocess.CalledProcessError):
            continue
        try:
            subprocess.call(
                pkg_mgr + libs,
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
84% confidence
Finding
subprocess.call( pkg_mgr + libs, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

Tainted flow: 'QR_PNG_PATH' from os.environ.get (line 90, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
qr.make(fit=True)
        img = qr.make_image(fill_color="black", back_color="white")
        img = img.convert("RGB")
        with open(QR_PNG_PATH, "wb") as f:
            img.save(f)
        _status("login", f"已写入登录二维码 PNG: {QR_PNG_PATH}")
    except Exception as e:
Confidence
86% confidence
Finding
with open(QR_PNG_PATH, "wb") as f:

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill not only creates a Feishu bot but also sends the generated app secret over Feishu message to the creator account, which is a sensitive credential disclosure not clearly conveyed by the skill description. Secrets transmitted through chat are easier to leak via message retention, forwarding, compromised accounts, or logging, increasing exposure beyond the local process.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code automatically installs Python packages, browser binaries, and even system libraries, which materially exceeds a simple bot-creation workflow and expands the attack surface through supply-chain downloads and host mutation. In a skill setting, this is dangerous because users may grant bot-creation capability without expecting package management or privileged host changes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script stores a PID in /tmp and later kills that process with SIGKILL, which can terminate a local process outside the immediate task if the PID file is stale, replaced, or reused. In a multi-user or concurrent environment, relying on a predictable pidfile in /tmp creates a process-targeting hazard and denial-of-service risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to return app_id and app_secret directly to the user without any guidance on secure handling, redaction, storage limits, or avoidance of secondary channels. Because app_secret is a credential, exposing it in ordinary chat output or logs can lead to credential compromise, unauthorized bot control, and long-lived access if the secret is later reused or not rotated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits highly sensitive values including app_secret and user identifiers over network API calls and chat messaging without clear user disclosure or minimization. In the context of credential provisioning, this unnecessarily increases exposure of secrets and creates downstream leakage risk in messaging systems and network traces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code captures browser session cookies and CSRF tokens from an authenticated session and reuses them in direct HTTP requests. This effectively turns the skill into a session-riding automation client, which is powerful but risky because compromise of the process or local debugging channel could expose authenticated session material and enable account actions beyond user awareness.

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
qrcode>=7.4.2
pillow>=10.0.0
Confidence
94% confidence
Finding
playwright>=1.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
qrcode>=7.4.2
pillow>=10.0.0
Confidence
94% confidence
Finding
qrcode>=7.4.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
qrcode>=7.4.2
pillow>=10.0.0
Confidence
97% confidence
Finding
pillow>=10.0.0

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
70% confidence
Finding
pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal