ClawHub

Feishu Card

Security checks across malware telemetry and agentic risk

Overview

This Feishu card skill does what it says, but it uses local Feishu app credentials and hardcoded account identifiers in a way users should review before installing.

Install only if you trust the publisher and intend this skill to use your Feishu app credentials to send messages. Replace the hardcoded app_id and example recipient IDs with your own approved configuration, confirm each recipient before sending, and avoid sending sensitive content unless your Feishu app and destination are authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documents and facilitates network-capable actions, including outbound API calls to Feishu, but does not declare corresponding permissions. This creates a transparency and governance gap: users or the platform may not realize the skill can transmit data externally, making misuse or unexpected exfiltration harder to detect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation instructs readers to extract a Feishu app_secret from a local credentials file, which goes beyond merely formatting and sending a card. Teaching a skill to access local secrets materially increases the chance of credential misuse and enables unauthorized API access if the skill or its user is compromised.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Including a concrete recipient open_id embeds environment-specific targeting information that is unrelated to the general-purpose function of sending Feishu cards. This can enable accidental delivery to a real account, leak internal identifiers, and make the skill easier to repurpose for unintended messaging.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation combines secret access and outbound API transmission instructions without warning users that credentials are being read and messages are being sent to an external service. That lack of disclosure increases the risk of inadvertent secret handling and unreviewed external data transfer.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
APP_SECRET=$(cat /root/.openclaw/openclaw.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(d['channels']['feishu']['appSecret'])")
TOKEN=$(curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json" \
  -d "{\"app_id\":\"cli_a9f5877b3378dbd8\",\"app_secret\":\"$APP_SECRET\"}" \
  | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")
Confidence
92% confidence
Finding
curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
'body': {'elements': [{'tag': 'markdown', 'content': '内容'}]}
}
print(json.dumps(json.dumps(card)))
" | xargs -I{} curl -s -X POST \
  "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
Confidence
90% confidence
Finding
curl -s -X POST \ "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal