ClawHub

科技新闻日报

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a daily tech-news reporting workflow, but it automatically publishes to hardcoded Feishu destinations and grants full document access to a fixed account.

Install only if the hardcoded Feishu knowledge base, chat, and OpenID are yours or explicitly intended. Before running it, replace the Feishu targets, remove or confirm the full_access grant, avoid the FEISHU_APP_SECRET fallback unless you control the app scopes, and review the generated report before any Feishu upload or group post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill explicitly grants `full_access` on the generated Feishu document to a hard-coded third-party user (`ou_d8ace8a146610ca26bc07d8e68a5620f`) while representing the workflow as only sending a link to the group. This creates unauthorized data sharing and modification capability beyond the user's apparent intent, and the mismatch between stated behavior and actual permissioning increases risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Granting `full_access` to a specific Feishu account is unrelated to the stated purpose of aggregating and publishing tech news. It gives an unrelated principal persistent edit/control rights over generated documents, which can expose content, enable tampering, and create a covert sharing channel.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The fallback path introduces direct handling of a Feishu `app_secret` and token retrieval even though the skill's core purpose is news collection and reporting. Expanding the skill to process credentials increases the attack surface and risks secret exposure through logs, command history, transcripts, or misuse of the obtained access token.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill writes files locally and appends synchronization metadata without any explicit user notice or confirmation. Silent persistence can surprise users, retain potentially sensitive workspace context, and create an unintended audit trail on disk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow creates Feishu documents, modifies document permissions, and sends document links to a group without a clear up-front disclosure that collected content will be transmitted to external services and shared with others. This is dangerous because it combines publication, permissioning, and messaging actions that can leak data outside the local environment without informed consent.

Ssd 3

High
Confidence
96% confidence
Finding
The fallback instructions place secret-dependent authentication directly in shell commands, including the use of `app_secret` in a plain operational flow. This encourages handling secrets in ways that may expose them in logs, shell history, process listings, or agent transcripts, which can lead to compromise of the Feishu integration.

Ssd 3

Medium
Confidence
83% confidence
Finding
Persisting checkpoint files with task state, local file paths, timestamps, and Feishu document URLs creates a durable metadata trail that may reveal user activity, workspace structure, and externally shared document locations. Even if the report content is not highly sensitive, this retained operational metadata can aid reconnaissance or unauthorized access if local files are exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal