ClawHub

飞书表情回复

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu emoji-reaction helper, with manageable cautions around optional credentials and local emoji-learning notes.

Install this if you want the agent to visibly react in Feishu and occasionally write down learned emoji mappings. Use a least-privileged Feishu app, keep app secrets in secure environment/config storage, leave reaction notifications on own unless broader monitoring is intentional, and periodically review or clear any learned emoji memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill includes shell commands, environment variable usage, and references to local scripts/CLI tools, but it does not declare the permissions or capabilities needed for those operations. This creates a transparency and governance gap: an agent or reviewer may assume the skill is documentation-only while it actually enables code execution paths and access to secrets in environment variables.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README minimizes required capabilities by stating only reaction-write permission is needed, while also documenting persistent local storage of learned emoji mappings. This mismatch can mislead operators during review and deployment, causing them to approve a skill without understanding that it also writes interaction-derived data to disk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a narrow emoji-reaction capability, but this section expands behavior into autonomous conversational reply decisions, including when to send text and when to stay silent. That widens the operational scope beyond the declared purpose and can cause the agent to take user-visible actions not clearly authorized by the skill boundary, increasing prompt-injection and unintended-behavior risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section instructs the agent to persistently 'learn' by writing discovered emoji into workspace files, which introduces memory/state mutation unrelated to a simple reaction skill. Persistent writes create a pathway for adversarial users to influence future behavior, poison memory, or cause the agent to store untrusted content for later reuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Maintaining persistent notes such as TOOLS.md or memory files is not necessary for executing emoji reactions and materially increases the skill's privilege footprint. Any unnecessary file-maintenance behavior increases the chance of indirect prompt persistence, workspace contamination, and future-context manipulation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automatic learning from user reactions and persistence to a local memory file without explicit notice, consent, or retention controls. Storing interaction-derived behavioral data can create privacy and compliance risk, especially if the learned entries reveal user-specific language, preferences, or internal context.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs the agent to persist 'learned' emoji data into local files such as TOOLS.md or memory/emoji-learned.md without disclosure or consent. Silent persistent writes can alter future agent behavior, create prompt-injection persistence, and make later responses depend on untrusted user-supplied reactions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation text uses broad conversational triggers like mentions of likes, thumbs-up, or emoji reactions, which may cause the skill to activate in ordinary discussion rather than only when reaction tooling is actually needed. Over-broad activation increases the chance that the skill's hidden policies or side effects are applied in contexts the user did not intend.

Hidden Instructions

High
Category
Prompt Injection
Content
用户给**你的消息**加表情时,根据情绪决定回不回:

**要回应的:**
- 情绪类:😢 😤 😭 🙈 😮‍💨 → "懂了 💙" 或 "收到~"
- 困惑/质疑:❓ 🤔 🤨 → 解释或澄清
- 强烈反应:🔥 💯 🎉 😱 → "谢谢!😊"
Confidence
78% confidence
Finding

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal