ClawHub

Feishu Article Collector

Security checks across malware telemetry and agentic risk

Overview

This article-collection skill largely does what it says, but it has enough high-impact automation and weak scoping that users should review it before installing.

Install only in a controlled Feishu workspace with a dedicated low-privilege app and trusted bot chats. Do not use it for confidential, internal, subscription-only, or personal links unless you are comfortable with article content and derived metadata being sent to DeepSeek and stored in Feishu. Before production use, tighten hostname validation, re-check or disable redirects, add an explicit command or authorization gate, document data handling, and remove or gate the full_access setup helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Tainted flow: 'url' from requests.post (line 404, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def fetch_wechat_article(url):
    """抓取微信公众号文章"""
    try:
        resp = requests.get(url, headers=HEADERS, timeout=15, allow_redirects=True)
        resp.encoding = "utf-8"
        html = resp.text
Confidence
95% confidence
Finding
resp = requests.get(url, headers=HEADERS, timeout=15, allow_redirects=True)

Tainted flow: 'url' from requests.post (line 404, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def fetch_toutiao_article(url):
    """抓取今日头条文章正文"""
    try:
        resp = requests.get(url, headers=HEADERS, timeout=15, allow_redirects=True)
        resp.encoding = "utf-8"
        html = resp.text
Confidence
95% confidence
Finding
resp = requests.get(url, headers=HEADERS, timeout=15, allow_redirects=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a Python script that necessarily uses environment secrets, network access, and local file state, but the skill does not declare corresponding permissions or clearly surface those capabilities to users. This reduces transparency and weakens reviewability, making it easier for sensitive operations like external API calls and local state writes to occur without explicit user understanding or platform enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is article collection and storage, but the broader behavior includes automatic Bitable creation/discovery, local caching of identifiers, and a separate utility that can grant full access to the Bitable. That mismatch is security-relevant because it expands the trust boundary and privilege scope beyond what a user would reasonably expect, increasing the chance of unauthorized sharing, persistence, or overbroad access management.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script grants a specified user full access to the newly created Feishu bitable, but this permission-sharing behavior is not disclosed by the skill description. Undisclosed privilege grants can expose collected article data and permit unauthorized modification, deletion, or lateral access by another account.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
For an article-collection skill, assigning full_access to another user is broader than needed and introduces an unnecessary capability to alter sharing on created resources. This can let an unintended principal fully control the bitable contents and permissions, which exceeds the stated purpose of collecting and summarizing articles.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The documented trigger condition is very broad: any message containing a supported article link causes automatic fetching, summarization, and storage. In a chat-integrated skill, this can lead to unintended processing of links shared casually, ingestion of sensitive/internal articles, and unauthorized persistent writes to Feishu without an explicit confirmation step or narrow scope control.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that article content will be fetched, summarized by DeepSeek, and stored in Feishu, but it does not clearly disclose that article text may be transmitted to third-party AI services and persistently written to a shared workspace. This lack of transparency increases the risk of privacy, compliance, and data-handling issues, especially if users submit links containing proprietary, personal, or access-restricted content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs passing the user's complete message text directly into the script and does not warn that this content may be sent to external services for summarization and then stored in Feishu. In context, this is more dangerous because chat messages may contain unrelated sensitive data beyond the article URL, causing unnecessary disclosure to third-party APIs and persistent storage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends scraped article text or title to DeepSeek for summarization without any consent gate, visibility at runtime, or data-minimization control. In this context, users may share subscription-only, sensitive, or proprietary content, so undisclosed third-party transmission creates a real privacy and compliance risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script changes permissions by granting full access to a user without any explicit warning, confirmation, or visible audit control. Silent privilege elevation on remote resources is security-relevant because it can expose stored content and grant broad control to an unintended or misconfigured account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal