ClawHub

Feishu Docx

Security checks across malware telemetry and agentic risk

Overview

This Feishu document skill has a coherent purpose, but it exposes hardcoded Feishu credentials and includes under-disclosed scripts that can upload local files and change Feishu Drive content.

Review before installing. Do not use or copy the embedded Feishu credentials; rotate or revoke them if they belong to you. Only run the scripts after replacing credentials, folder tokens, and file paths with values you explicitly control, and require confirmation before any local file upload, Feishu document creation/import, or deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill appears to require network access and local file reads but does not declare those capabilities, reducing transparency and informed consent for users. In an agent-skill context, undeclared capabilities are dangerous because they can hide data access or outbound transmission behavior that the user did not explicitly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says the skill creates and edits Feishu docx documents, but the underlying behavior reportedly also uploads local files, runs Markdown-to-docx import jobs, polls remote tasks, and deletes cloud files. That mismatch is risky because it can cause materially broader data exposure and destructive actions than the user would reasonably expect, especially when combined with hardcoded credentials and file paths.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation embeds realistic App ID and App Secret values directly in the authentication section, which constitutes credential exposure or trains users to handle secrets unsafely. If these are real or reused credentials, an attacker could authenticate to the Feishu application and access or modify associated resources.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The example code claims to demonstrate explicit credential passing but again hardcodes the App Secret in plaintext. This is dangerous because users often copy examples verbatim, leading to further secret leakage in source control, logs, prompts, or shared environments.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The implementation includes Drive file upload, markdown import, and file deletion capabilities that exceed the declared docx creation/editing scope. In an agent setting, this scope mismatch is dangerous because users or higher-level tooling may trust the manifest description and unknowingly grant a skill the ability to exfiltrate local files to Feishu or delete remote content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a hardcoded local Markdown file from a specific user path and then imports its contents into a remote Feishu document. Even if the file is fixed rather than arbitrary, this still creates an undisclosed local-data access and exfiltration path that is not necessary for a general-purpose document editing skill and could expose sensitive workstation data if reused or modified.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script is hardcoded to read a specific local file path and upload it to a cloud service, which creates a data exfiltration risk if reused or adapted in an agent context. Even though the path is fixed here, the behavior demonstrates local filesystem access and remote transfer without user consent, which is more dangerous in a skill that handles cloud documents.

Missing User Warnings

High
Confidence
96% confidence
Finding
Publishing embedded App ID and App Secret without any safety warning normalizes unsafe credential handling and may directly expose sensitive access material. In a reusable skill, this increases the chance of unauthorized API use and accidental propagation of secrets by downstream users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation describes remote document creation and editing but does not clearly warn users that it will modify data in their Feishu workspace. In an agent setting, missing mutation warnings can lead to unintended writes, confusing automation outcomes, and reduced user ability to provide informed consent before modifying external systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
upload_file reads an arbitrary local file path and transmits the file contents to a remote Feishu API without any built-in confirmation, allowlist, or disclosure mechanism. In an agent skill context this increases the risk of unintended data exfiltration, especially if the agent can be induced to upload sensitive local files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
delete_file performs a remote destructive action with no confirmation, guardrails, or policy checks. In an agent environment, this can lead to accidental or prompt-induced deletion of user data in Feishu Drive, even if the deletion is initially a move to trash.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads the contents of a local file to Feishu without any user-facing disclosure, confirmation, or indication that local data will be transmitted to a third-party service. In the context of a Feishu docx skill, remote document creation is expected, but silently sourcing data from a local filesystem path makes the behavior materially more dangerous because it can transfer unintended sensitive content.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded App ID and App Secret embedded in source code are exposed to anyone with access to the skill, enabling unauthorized use of the Feishu integration and possible abuse of associated API permissions. This is especially dangerous in a reusable skill because credentials may be copied, leaked through version control, or used to access or create documents under the owner's tenant without user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads a local file, creates a cloud document, and deletes the temporary uploaded source object without any confirmation or warning beyond console prints. In an automated skill, this can cause unintended disclosure to a remote service and destructive side effects without giving the user a chance to review the operation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains hardcoded Feishu App ID and App Secret directly in source code, exposing credentials to anyone with file access and making unauthorized API use possible. In a skill context, embedded secrets are especially dangerous because they may be distributed, logged, or reused by agents without the operator realizing it.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script embeds a Feishu App ID and App Secret directly in source code, which exposes live credentials to anyone who can read the repository, logs, backups, or packaged skill files. These secrets can be reused to authenticate to the Feishu API, potentially allowing unauthorized document creation, modification, or broader access depending on the app's granted scopes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal