ClawHub

Feishu Comments

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a Feishu comment reader, but it also bundles an under-disclosed script that can close comments, including automatic bulk closure.

Review before installing. Use only with least-privilege Feishu credentials, preferably read-only scopes, unless you intentionally want comment-closing capability. The bundled resolve_comments.sh script should be removed, separated into a clearly write-capable skill, or guarded with dry-run and explicit confirmation behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell commands and reads credentials from a local configuration file, but it does not declare any permissions for shell or environment/file access. That mismatch reduces transparency and weakens policy enforcement, making it easier for a caller or review system to underestimate the skill's access to sensitive local resources and external network operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script performs state-changing PATCH requests to mark comments as resolved, which directly contradicts the skill's declared purpose of only reading comments. In an agent setting, that hidden write capability can cause unauthorized document modifications and loss of collaborator feedback without the user's informed consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --orphaned mode automatically inspects document content and comment metadata, then resolves comments based on heuristic matching without explicit user review. This creates a hidden bulk-modification path in a supposedly read-only skill and can silently close legitimate unresolved comments when the quote-matching heuristic is wrong or incomplete.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script reads app credentials and domain settings from a local OpenClaw config file even though that capability is not disclosed by the skill's narrow read-comments purpose. Accessing local secrets expands trust boundaries and enables the skill to authenticate outbound API operations beyond what a user would reasonably expect from a simple comment-reading tool.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header openly states that the script resolves or closes comments, which conflicts with the declared read-comments skill behavior. That mismatch is a strong indicator that the implementation contains undisclosed capabilities and increases the risk that users or orchestrators will invoke a mutating action under false assumptions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script silently reads API credentials from a local configuration file without notifying the user at runtime or in the stated skill purpose. In an agent environment, undisclosed access to local secrets undermines user trust and can facilitate unauthorized authenticated actions against external services.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script exchanges locally sourced credentials for a tenant access token and transmits identifiers to Feishu/Lark without any user-facing disclosure or consent flow. While such network access may be necessary for a legitimate integration, it is more dangerous here because the skill is presented as a narrow read-comments tool yet authenticates to perform broader operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal