ClawHub

飞书卡片消息

Security checks across malware telemetry and agentic risk

Overview

This skill appears to send Feishu/Lark cards as advertised, but it has review-worthy issues around restriction-bypass framing, live message sending, and sensitive message logging.

Review before installing. Use only with Feishu/Lark credentials you control, least-privilege app scopes, and approved recipients. Do not send sensitive content unless your organization allows it, avoid production use of any built-in test harness, and check logs for message payload exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The built-in main() test harness performs real outbound actions using production-style credentials and a hard-coded recipient ID, which means executing the file can send live messages without additional confirmation. In an agent-skill context, this expands the module from a passive library into an active sender, increasing the chance of unintended data transmission, spam, or misuse of configured credentials.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`cancelBatch` only flips status metadata and records timing, but the already scheduled `processInBatches` loop and in-flight `processor` calls continue executing. In any system relying on cancellation for safety, cost control, rate limiting, or preventing duplicate side effects, callers may believe work has stopped when it is still mutating external systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to export Feishu app credentials and send message content to Feishu's external API, but it does not warn about secure secret storage, least-privilege handling, or the privacy implications of transmitting potentially sensitive content off-platform. This can lead to accidental credential exposure in shells, logs, screenshots, or unsafe deployments, and can cause users to unknowingly send sensitive data to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents sending Feishu messages using app credentials and recipient identifiers, but it does not clearly disclose that message content, recipient data, and credentials-derived access tokens will be used to communicate with an external third-party service. This creates a real privacy and transparency risk because users may unknowingly transmit sensitive business or personal information outside the local agent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to export and partially print Feishu application credentials without any warning about secure secret storage, log exposure, or avoiding shell history leakage. In an integration guide, this can normalize unsafe handling of production secrets and increase the chance that credentials are exposed through terminals, screenshots, CI logs, or shared shell sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This function transmits caller-supplied recipient identifiers and card content to Feishu over the network without any explicit consent, allowlist, or disclosure boundary in the API. In a skill environment, that creates a data exfiltration and unintended-message risk if upstream inputs contain sensitive information or an attacker controls the destination ID.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code logs full message contents and targets to the console before sending, which can expose sensitive card payloads, personal data, tokens, or internal business information to anyone with access to application logs. In an agent skill context, message bodies may contain user-supplied or workflow-derived secrets, making this more dangerous because logs are often centralized, retained, and broadly accessible.

Ssd 2

Medium
Confidence
94% confidence
Finding
The phrase '绕过OpenClaw限制' explicitly markets the skill as a way to bypass platform restrictions, which is a strong indicator of policy evasion behavior. Even in a README, positioning the tool as a restriction bypass increases the likelihood that users will use it to circumvent governance, monitoring, or safety controls that the platform intended to enforce.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal