ClawHub

Lark Calendar & Tasks

Security checks across malware telemetry and agentic risk

Overview

This Lark calendar skill mostly does what it says, but it includes under-disclosed directory and messaging capabilities that deserve review before installation.

Install only if you trust the Lark app credentials and have reviewed its scopes. Use a least-privileged Lark app, avoid granting IM/message scopes unless needed, confirm event/task IDs before deletes, and be aware that employee directory data may be loaded and cached for name resolution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The Contact API fetch stores significantly more employee data than is needed for name-to-user_id resolution, including email, mobile, department IDs, and open_id. This violates data minimization and expands the privacy impact and blast radius if logs, memory, downstream functions, or later code paths expose the cache.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module exposes listEmployees() and searchEmployees(), enabling directory enumeration and lookup of employee profile data beyond the stated automatic name-to-user_id resolution purpose. In a calendar skill, this broadens the capability from a helper resolver into a general employee directory interface, increasing privacy and insider-abuse risk.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file exposes IM messaging primitives (`replyMessage` and `sendMessage`) even though the skill is described as a calendar/task integration. This creates a capability mismatch: any downstream tool logic or prompt-injected workflow that can reach this wrapper may send arbitrary Lark messages, expanding the blast radius from scheduling actions to user/chat communication and possible data exfiltration.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
`completeTask` is advertised as completing a task, but it only calls `updateTask` without setting any completion field or invoking a completion endpoint. In an automation context, callers may believe tasks were closed when they were not, causing workflow integrity issues, missed follow-up, or unsafe operational assumptions based on false task state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents delete operations for calendar events and tasks without any warning, confirmation, or safeguard guidance. In an agentic setting, this increases the chance of accidental destructive actions against real business calendars and task records, especially if an agent maps ambiguous user requests directly to these commands.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill advertises automatic resolution of attendee and assignee names through an employee directory, but does not warn about the privacy implications of exposing internal staff mappings, roles, and identifiers. This can lead to unintended disclosure or overuse of directory data by downstream agents and users who may not realize personal or organizational information is being processed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
deleteEvent performs an irreversible remote deletion against the Lark Calendar API with no in-function safeguard, confirmation requirement, or soft-delete workflow. In an agent skill context, this increases the chance that ambiguous prompts, prompt injection, or automation mistakes could delete real calendar data and notify attendees without meaningful user intent verification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits and caches employee personal data from the Contact API without any visible indication of consent, disclosure, or purpose limitation in this module. Even if the platform allows the access, silent collection of contact details such as email and mobile creates a privacy risk and may exceed user expectations for a calendar attendee-resolution feature.

Exfiltration Commands

High
Category
Prompt Injection
Content
}

/**
 * Send message to a chat
 * @param {string} receiveId - Chat ID or user ID
 * @param {string} receiveIdType - 'chat_id' | 'user_id' | 'open_id'
 * @param {object} content - Message content
Confidence
95% confidence
Finding
Send message to

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal