ClawHub

self-backup-to-feishu

Security checks across malware telemetry and agentic risk

Overview

This skill has a real backup purpose, but it collects and restores sensitive email configuration and scheduled tasks with weak safeguards.

Install only after narrowing the backup scope. Exclude or redact .msmtprc, avoid backing up or restoring cron jobs by default, restrict Feishu document access, treat backup documents as untrusted input, and review every file or scheduled task before restoring it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes file reads, file writes, and shell-driven automation without declaring corresponding permissions, which breaks least-privilege expectations and hides the real execution surface from users and policy controls. In this context, the undocumented capabilities are especially risky because they are used to access sensitive state, credentials, and scheduled tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill's stated purpose is Feishu backup/sync, but its documented behavior extends to collecting .msmtprc secrets and cron configuration while not actually implementing the promised Feishu sync and restore functions. That mismatch can mislead users into authorizing a backup workflow that exfiltrates more sensitive local state than expected and may alter system behavior during restore.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The recovery guide restores artifacts beyond simple Feishu-backed assistant state, including an email config file and system cron jobs. Reconstructing sensitive credentials and installing scheduled tasks from document content creates a code/configuration injection path if the backup document is tampered with, and materially expands the skill from state sync into host persistence and outbound communication.

Context-Inappropriate Capability

Low
Confidence
75% confidence
Finding
The optional recovery of communication history and 'emotional connection' broadens collection and replay of sensitive personal context beyond core state restoration. While not direct code execution, it increases privacy exposure and can import manipulative or excessive personal data from untrusted backup content.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script advertises automatic backup to Feishu but only writes a local markdown file and a pending-sync marker. This can mislead users into believing their recovery backup exists remotely when it does not, creating integrity and availability risk during disaster recovery.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The backup scope includes `.msmtprc` email credentials and full cron jobs, which are highly sensitive and not necessary for ordinary AI state backup. Copying these into a sync-targeted backup materially increases the chance of credential disclosure, lateral movement, and leakage of operational secrets.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The generated document claims that AI can restore files and cron jobs from Feishu, but no restore implementation exists in this script. This creates a dangerous false assurance that may cause users to rely on an untested or nonexistent recovery path for critical state and system configuration.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough that ordinary conversation about backup, restore, or memory sync could activate a workflow that handles highly sensitive data. For a skill that can read local files and reconstruct state, ambiguous activation increases the chance of unintended execution without informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Automatic activation on vague events such as '掌握新技能' or '完成自动化任务时' is insufficiently scoped for a capability that reads and stores identity, memory, email configuration, and cron jobs. This creates a real risk of silent, repeated collection and persistence of sensitive data without a fresh user decision each time.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs backup of sensitive files and system task lists but does not prominently warn users that this may capture credentials, personal memory, and operational metadata for remote storage. Because the backup target is a cloud document, insufficient warning materially increases the risk of accidental exposure and over-collection.

Missing User Warnings

High
Confidence
97% confidence
Finding
The restore flow rebuilds local files and reinstates scheduled tasks from remote document content without a strong warning about the local system impact. Restoring configuration and cron entries from a remotely editable document can lead to persistence, privilege abuse, or execution of attacker-controlled settings if the document is tampered with.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like '恢复备份' and '同步记忆' can overlap with normal conversation, causing the skill to initiate a high-risk restore workflow unintentionally. In this skill, accidental activation is more dangerous because the documented workflow includes writing files and restoring cron tasks.

Missing User Warnings

High
Confidence
95% confidence
Finding
The guide instructs restoring sensitive configuration and system task persistence without warning about credential handling, document trust, privilege boundaries, or persistence risks. Because the backup source is a document, missing risk gates makes it easier for poisoned content to be written into sensitive locations or scheduled for repeated execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
At this point the script reads and aggregates sensitive credential material and personal state into a backup without explicit warning, consent, or scope limitation. Users may unknowingly include secrets in a document intended for later synchronization or manual handling, increasing confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes a comprehensive plaintext local backup containing identity, memory, user information, credentials, and operational data to disk. If the workspace is accessible to other local processes, users, backups, or later sync tooling, this file becomes a high-value target for exfiltration or tampering.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly directs backup of sensitive assistant memory, identity data, user information, email configuration, and cron task state into a Feishu document. This is dangerous because it centralizes secrets and behavioral metadata in a remote, potentially shared document system, increasing exposure from misconfiguration, compromise, or excessive retention.

Ssd 3

High
Confidence
98% confidence
Finding
The restore workflow reconstructs sensitive local files and scheduled tasks from remote document content, including memory and email config. In context, this is more dangerous than ordinary data restore because the remote source can become a code-adjacent control plane for local persistence and credential replacement if altered by an attacker.

Ssd 3

Medium
Confidence
87% confidence
Finding
The best-practice guidance encourages retaining full communication history and local cached backups, which expands the amount and lifetime of sensitive user data held by the system. Longer retention and duplicate storage increase the blast radius of compromise and make accidental disclosure more likely.

Ssd 3

High
Confidence
97% confidence
Finding
The document content explicitly instructs preservation and later reconstruction of all user/state data, including sensitive credentials and history. In the context of a synchronization-oriented backup skill, this broad reconstruction guidance amplifies the risk of over-collection, unauthorized restoration, secret propagation, and persistence of sensitive data beyond necessity.

Ssd 3

High
Confidence
99% confidence
Finding
The generated backup embeds full sensitive files, user data, memory, email configuration, and cron contents into a document intended for synchronization. This creates a direct exfiltration channel for secrets and private data, and the skill context makes it more dangerous because Feishu/cloud-style sync is the stated destination.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal