ClawHub

Feishu Upload Skill

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it bundles and exposes Feishu credentials and can perform authentication during installation, so users should review it before installing.

Install only after removing and rotating the bundled Feishu APP_SECRET, replacing it with user-controlled secret storage, disabling install-time token acquisition, and removing token/API-response logging. Treat any uploaded file as shared with Feishu and the target chat, and avoid sending secrets, private workspace data, memory archives, or regulated data unless that disclosure is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (18)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script is presented as a general-purpose upload utility, but it reads a persistent Feishu access token from disk and then prints part of that bearer token to stdout. Even partial token disclosure is sensitive because logs, terminal history capture, screen sharing, or monitoring systems may expose credentials to unauthorized viewers.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script reads a Feishu access token from disk and then prints part of that credential and later prints upload-related tokens/URLs to stdout. Even partial credential disclosure and full upload token exposure can leak sensitive authentication material into shell history, CI logs, terminal recordings, or shared console sessions, enabling unauthorized file operations or aiding further compromise.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script claims to only obtain a Feishu access token, but it also immediately uses that token to access the Feishu Drive API. This is dangerous because it expands the script's behavior beyond its stated purpose, causing unanticipated use of privileged credentials and increasing the risk of unauthorized data access.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script reads a bearer token from disk and logs the first 30 characters to stdout. Even partial credential disclosure is sensitive because logs are often persisted, shared, or collected centrally, and the exposed prefix can aid token identification or accidental leakage during troubleshooting.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script reads a bearer token from a local file and prints the first 30 characters to stdout. Even partial credential disclosure is sensitive because logs, terminal history, CI output, or shared consoles can expose enough information to aid token identification, correlation, or accidental leakage to unauthorized parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes uploading arbitrary local files to Feishu chats, including examples involving memory archives, but provides no warning that this transfers potentially sensitive local data to a third-party service and other chat participants. In an agent skill context, this increases the risk of accidental data exfiltration because users may invoke the tool on sensitive workspace files without understanding the disclosure consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes token retrieval, storage, and configuration locations for App ID/Secret and access tokens, but omits any warning that these credentials and token files are sensitive secrets that can enable unauthorized API access if exposed. In a reusable skill package, normalizing plaintext token handling without caution makes accidental leakage more likely through logs, copied files, or permissive filesystem access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation promotes uploading local files to Feishu chats but does not clearly warn users that local data will be transmitted to an external cloud service and shared with chat recipients. In an agent/tool context, that omission can cause accidental disclosure of sensitive files because users may not realize the privacy and data-transfer implications before invoking the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation advertises automatic token acquisition and refresh but does not emphasize that Feishu app credentials and cached access tokens are sensitive secrets. This increases the risk that operators will store tokens insecurely, expose them in logs/files such as feishu_token.txt, or mishandle app secrets, enabling unauthorized API access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly advertises direct upload of files to Feishu and sending them into chat, but it provides no warning that user-selected content will be transmitted to a third-party service. This creates a meaningful privacy and data-handling risk because users or downstream agents may invoke the tool without understanding that sensitive local files could leave the current environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script reads a bearer token directly from a fixed local credential file and then uses it to perform network actions, without any user confirmation, disclosure, or scope restriction. In an agent/skill context, this creates a confused-deputy risk: a user invoking file upload may unknowingly authorize use of pre-existing credentials tied to another account or broader permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads an arbitrary local file and transmits its contents to Feishu over the network immediately after invocation, with no explicit warning, confirmation, allowlist, or content sensitivity check. In a skill setting this is dangerous because it can exfiltrate local workspace data or sensitive files to an external service under the guise of a normal utility action.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script explicitly displays the first 30 characters of a bearer token to the user. Bearer tokens are credentials, and exposing a large prefix materially increases the chance of credential theft through logs, screenshots, shell session recording, or shoulder surfing.

Missing User Warnings

High
Confidence
97% confidence
Finding
The line `echo "使用访问令牌: ${ACCESS_TOKEN:0:30}..."` exposes the first 30 characters of a bearer token, which is a substantial portion of a secret and may be enough to identify, correlate, or reconstruct the credential in some environments. Console output is frequently captured in logs and monitoring systems, turning a local secret into a broadly accessible artifact.

Missing User Warnings

High
Confidence
100% confidence
Finding
The script contains a hardcoded Feishu app secret and transmits it over the network to obtain a tenant access token. Hardcoded secrets are highly sensitive because anyone with access to the file can reuse them, and their presence in a skill/script strongly indicates credential exposure and unauthorized access risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes the obtained tenant access token to a predictable file path on disk, where it may be read by other local processes, users, or later tooling. Persisting bearer tokens unnecessarily increases the chance of credential theft and unauthorized API use.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installer automatically executes a secondary script to obtain a Feishu access token if a token file is absent, but gives no transparency about what credentials, secrets, or network requests that helper will use. In a skill-install context, silently invoking token acquisition expands trust from file installation into credential handling and outbound communication, which can expose secrets or trigger unintended authorization flows.

External Transmission

Medium
Category
Data Exfiltration
Content
# 获取访问令牌
echo -e "\n获取访问令牌..."
RESPONSE=$(curl -s -X POST \
  "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json; charset=utf-8" \
  -d "{\"app_id\":\"$APP_ID\",\"app_secret\":\"$APP_SECRET\"}")
Confidence
95% confidence
Finding
curl -s -X POST \ "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \ -H "Content-Type: application/json; charset=utf-8" \ -d

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal