ClawHub

Feishu File Manager

Security checks across malware telemetry and agentic risk

Overview

This instruction-only Feishu skill is mostly transparent, but it asks for broader Feishu authority than its read/download purpose justifies.

Review before installing. Use a dedicated Feishu app with only the minimum read/download scopes needed, avoid granting document write access unless you explicitly need it, protect the app secret and tenant token, and delete downloaded temporary files after processing sensitive documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is described as a read/download-oriented Feishu file manager, but it also requests and documents `docx:document:write_only`, which expands capability into document modification. This mismatch violates least-privilege expectations and could enable unintended or unauthorized writes if the skill or an agent using it is compromised or misused.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented behavior centers on downloading and reading Drive files, but the permission list expands into Sheets, Bitable, and Wiki APIs that are not justified by the stated core workflow. This broadens access beyond user expectations and increases blast radius if credentials or the skill are abused.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level description states the core method is reading and downloading files, yet later sections document write-capable Docx permissions. This contradiction is security-relevant because operators may approve the skill assuming read-only behavior while it actually enables content modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to retrieve `appSecret` from a local config file and send it to an external API, but it does not emphasize that the secret and resulting tenant token are highly sensitive credentials. This omission increases the risk of accidental disclosure in logs, shells, screenshots, chat transcripts, or downstream tooling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill directs downloading Feishu files to local disk and parsing their contents without warning about sensitive data handling, local persistence, or cleanup. This can lead to confidential documents being written to insecure temporary paths, retained longer than necessary, or exposed to other local users/processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal