OpenClaw飞书创建文档

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed Feishu spreadsheet automation helper, with a valid caution around using untrusted external media URLs.

Install only if you trust this skill with the configured Feishu app credentials and the spreadsheets that app can edit. Use a least-privilege Feishu app, confirm destructive operations carefully, and only provide media URLs you trust and intend to upload into Feishu.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states that external image and file URLs will be automatically downloaded and uploaded into Feishu, but it does not warn about the security and privacy implications of fetching untrusted remote resources. This can expose users to SSRF-like network access, unintended retrieval of sensitive/internal URLs, tracking via attacker-controlled URLs, or ingestion of malicious/unexpected content if callers pass untrusted links.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal