ClawHub

feishu-process-feedback

Security checks across malware telemetry and agentic risk

Overview

This skill is a Feishu task listener with coherent goals, but it should be reviewed carefully because chat message text can reach shell commands and background workers with weak scoping.

Install only after review. Do not run this listener on a sensitive machine or production Feishu workspace until shell-based feedback sending is replaced with argument-array execution or a direct API call, and until message sources are restricted to an allowlisted test channel or sender. Avoid placing secrets in task messages, inspect the local .listener.log, .tasks.log, and .listener_state.json files, and keep the background process supervised so it can be stopped quickly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The extension guidance encourages developers to add arbitrary task handlers based on message content, expanding the skill from progress feedback into general-purpose task execution. In a background listener that processes external messages, this broadens the attack surface and can lead to unsafe automation, unintended actions, or prompt/command abuse if handlers are added without strict validation and scoping.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The document claims the skill already performs automatic Feishu listening, yet later presents Feishu API integration as a manual customization step. This mismatch can mislead users about what the skill actually does and what security review has occurred, causing them to deploy or trust a background listener whose real implementation details, auth flow, and data handling are undefined.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code builds a shell command with untrusted message content and executes it via child_process.exec. Although it escapes backslashes and double quotes, it does not safely avoid shell interpretation of constructs like command substitution, so attacker-controlled task text can potentially trigger command execution when feedback is sent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes persistent background listening, task logging, and state persistence, but it does not warn users that Feishu message contents and task metadata may be continuously collected and stored locally. In a messaging-integrated skill, this omission can lead to unintended retention of sensitive business data, privacy violations, and unsafe deployment in environments where users assume transient processing.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger keywords are extremely broad and overlap with ordinary conversational language, so the background listener may treat normal Feishu messages as tasks and process them automatically. In this skill's context, that means unintended task execution, accidental data handling, noisy progress messages, and possible propagation of sensitive content into logs or external processing flows without clear user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is described as continuously monitoring and processing Feishu messages in the background, but the documentation does not prominently warn users that it will keep reading messages and emit progress feedback automatically. This weakens informed consent and increases the chance that users deploy a persistent listener without understanding the privacy and operational consequences of continuous message access.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Untrusted task text from incoming messages is forwarded directly to a child process as executable workload, effectively turning message content into process-driving input. In the context of an automated Feishu listener that creates background processes, this can enable unauthorized task execution or dangerous downstream prompt/command injection depending on how process_task.js handles its arguments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends task-derived content to an external messaging channel as progress feedback without any explicit disclosure, consent boundary, or data classification checks. In this skill's context, task text may contain sensitive operational instructions or user data, so automatic retransmission can leak information to unintended recipients or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal