ClawHub

feishu-emoji

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: downloads public emoji images, saves them to OpenClaw's media folder, and sends them in Feishu chats.

Install only if you are comfortable with the agent fetching emoji images from third-party sites, storing them in the OpenClaw media folder, and sending them into Feishu chats. Prefer known image sources, review messages before sending in sensitive chats, avoid commercial use of scraped images, and periodically clean the media directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'img_url' from requests.get (line 49, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
headers = {"Referer": REFERER}
    
    try:
        resp = requests.get(img_url, headers=headers, timeout=10)
        resp.raise_for_status()
        
        with open(filepath, 'wb') as f:
Confidence
93% confidence
Finding
resp = requests.get(img_url, headers=headers, timeout=10)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill activates on a very broad condition ('when the user requests sending an emoji') without defining narrower triggers, approval requirements, or source restrictions. In an agent setting, this can cause unreviewed network fetches and message sends from loosely phrased user input, increasing the chance of unintended external requests and content delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to download remote images from third-party sites into a local media directory and then send them, but it does not clearly disclose or constrain the external network access and local file write behavior. This is dangerous because user-triggered remote fetches can leak metadata, ingest untrusted content into a trusted local path, and enable the agent to perform side effects without explicit user awareness or validation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool automatically downloads remote content and writes it into a local media directory with no user warning, consent, or safety checks. In an agent/skill context this is more dangerous because invocation can trigger filesystem side effects and persist attacker-controlled content locally, potentially filling disk, overwriting expected files, or planting unsafe files for later handling.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest defines very broad everyday trigger keywords such as '好的', '收到', '谢谢', and '开心'. In an agent skill system, these common phrases can cause unintended activation during normal conversation, leading the agent to send images or perform actions when the user did not explicitly request the skill. The context increases risk because the skill can invoke external retrieval and message sending, so accidental triggering can create spam, confusing behavior, or unwanted outbound content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal