ClawHub

Murasame Feishu Voice

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it sends Feishu messages through credentials while also running an unbundled helper script and silently saving outgoing text locally.

Install only if you intend this skill to send real Feishu messages to the configured receiver. Before use, review the separate feishu-voice helper script, use narrowly scoped Feishu credentials, confirm the receiver OpenID, and remove or accept the local debug file that stores sent text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes access to environment secrets, filesystem reads/writes, shell tools, and outbound network messaging to Feishu, but it does not declare permissions or clearly bound those capabilities. This creates a real trust and review gap: operators may enable the skill without realizing it can send data externally, persist state, and invoke local binaries, which materially increases the blast radius if the implementation is flawed or abused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script writes the outgoing message text to a hard-coded local file before sending it. This creates an unnecessary secondary storage channel for potentially sensitive user content, and because it is undocumented and silently ignored on failure, users/operators may not realize message contents are being retained on disk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Persisting outgoing message text to a hard-coded path is an unjustified capability for a text/voice sending helper and can expose private content to other local users, backup systems, or forensic recovery. The hard-coded user profile path also bypasses normal configurability and makes accidental data leakage more likely.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger guidance is broad and subjective, such as using the skill whenever a reply 'fits' Murasame voice expression. Ambiguous activation criteria can cause over-triggering, resulting in unintended transmission of message content and voice bubbles in contexts where the user did not expect or consent to external delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states it will send text and voice to Feishu but does not clearly warn that reply content leaves the local agent context and is transmitted to an external service. That omission is security-relevant because users may include sensitive, regulated, or private content without understanding it will be disclosed to a third party.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The documentation says the skill will synchronously send the original Chinese text alongside voice output, with no language choice or consent mechanism. This can expose content in a forced form that the user may not want transmitted or translated, and it reduces control over what exact text is shared externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code silently writes debug text to a local file without any warning, consent, or disclosure, which violates least surprise and can leak sensitive message content. Because exceptions are suppressed, the behavior is intentionally quiet and difficult for operators to notice during review or testing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal