Back to skill

Security audit

Feishu Multi Agent Factory

Security checks across malware telemetry and agentic risk

Overview

This skill makes real local OpenClaw configuration changes for a disclosed Feishu multi-agent setup workflow, but I did not find hidden exfiltration, deception, or unrelated destructive behavior.

Install only if you want this skill to administer your local OpenClaw setup. Back up ~/.openclaw/openclaw.json first, review the dry-run output, confirm any --remove or --restart action separately, and protect Feishu App Secrets because they are stored in the local OpenClaw config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to perform shell execution plus file reads/writes to sensitive locations like ~/.openclaw/openclaw.json and agent workspace directories, yet declares no permissions. This creates a hidden capability boundary violation: a user or reviewer may believe the skill is conversational only, while it can actually modify local configuration, create files, and invoke operational commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior goes beyond the declared purpose by supporting listing agents, removing configuration references, and restarting the gateway. This mismatch is dangerous because users may invoke a seemingly benign setup wizard without realizing it can perform destructive or service-impacting actions, especially if trigger phrases are broad or confirmations are weak.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata describes batch creation/configuration of agents, but the script also supports deleting existing agents. That undisclosed destructive capability increases the chance that a user or orchestrating agent invokes the skill under incomplete assumptions, leading to unintended removal of configured agents and associated bindings.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script automatically adds every newly created agent to tools.agentToAgent.allow, granting cross-agent invocation permissions that are not disclosed in the skill description. In a multi-agent system, silently broadening trust boundaries can let newly added agents interact with or influence other agents beyond the user's intended scope.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script can restart the gateway as a side effect, and that capability is not necessary to parse configuration input or write config files. In skill contexts, undisclosed service-control behavior is risky because it can interrupt running workloads, apply configuration changes immediately, and surprise operators who expected a non-invasive setup action.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include common expressions such as '添加 agent', '新建 agent', and '配置飞书', which can appear in normal discussion and may cause accidental activation of a skill that writes config files and can restart services. In this context, broad triggering is more dangerous because the skill handles secrets and performs state-changing local operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.