ClawHub

Feishu Card Sender

Security checks across malware telemetry and agentic risk

Overview

This skill sends Feishu cards but also runs callback automation that can use local credentials, store message data, and create MoviePilot subscriptions without enough scoping or user control.

Install only if you intend to run a Feishu interactive-card automation that can receive callbacks and create MoviePilot subscriptions, not just send messages. Configure callback signature/encryption, verify the MoviePilot base URL and credential mapping, avoid untrusted poster URLs, and treat the local tmp database/queues/token cache as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its documentation clearly describes capabilities involving environment access, local file reads, network calls, and script execution. This is dangerous because users and the hosting platform cannot accurately assess or constrain what the skill can access, especially since it also reads credentials and sends outbound data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior exceeds the declared purpose: beyond sending Feishu cards, it handles callbacks, updates sent messages, persists state, and performs MoviePilot subscription writes. This mismatch is dangerous because reviewers and users may authorize a simple messaging skill while unknowingly granting an automation/integration component broader authority over external systems and data flows.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill claims to only send Feishu card messages, but the later section states it will process card callbacks and trigger MoviePilot subscription writes automatically. That hidden side effect materially changes the risk profile from outbound messaging to workflow execution against another service, which can lead to unauthorized or unexpected actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
A skill presented as a Feishu card sender is also documented as writing subscriptions into MoviePilot with idempotency logic. This is dangerous because the capability is unrelated to the apparent narrow purpose, increasing the chance of overprivileged deployment and surprising users with external state changes.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims to send Feishu cards via OpenAPI, but this router also handles inbound interactive-card callbacks, retrieves credentials, updates existing messages, and enqueues follow-up processing. That scope expansion materially increases the trust boundary and enables externally triggered state-changing behavior that users may not expect from a send-only skill.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code persists full Feishu card JSON plus recipient identifiers and related metadata in a local SQLite database under /root/.openclaw/workspace-dev/skills/feishu-card-sender/tmp/card_snapshots.db. This creates unnecessary at-rest retention of message content and user-targeting data beyond the narrowly described purpose of sending cards, increasing exposure if the host, workspace, backups, or adjacent tooling can access the file.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The snapshot lookup and rewrite functions enable later retrieval and modification of previously sent card payloads based on identifiers such as receive_id, tmdb_id, or card_key. In this skill context, that capability can be legitimate for updating interactive cards, but without clear access control boundaries, retention limits, and data minimization, it expands the attack surface by allowing historical message content and targeting metadata to be reused or altered from local state.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The script accepts arbitrary JSON payloads plus user/account/channel metadata and writes them as generic callback jobs without enforcing that they are Feishu-card-specific. In a skill advertised as a Feishu card sender, this creates an overly broad internal capability that could be abused by other components to enqueue unintended actions or route data into a generic callback pipeline.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements a network-facing callback server that accepts Feishu event traffic, decrypts payloads, verifies signatures, and triggers local processing, which materially exceeds the declared skill purpose of only sending card messages via OpenAPI. This extra server-side capability expands the attack surface, introduces callback authentication and parsing risks, and could expose the host to unwanted inbound traffic or misuse if deployed unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Launching an external router process to handle callback payloads introduces an execution primitive that is not justified by the stated card-sending functionality. Even without shell injection in this file, this design increases complexity and broadens the trust boundary, making exploitation of downstream parsing, argument handling, or resource-exhaustion bugs more feasible.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill accepts an arbitrary --poster-url and later fetches it server-side with urllib, enabling attacker-controlled outbound requests from the host. This creates an SSRF primitive that can be used to probe internal services, access cloud metadata endpoints, or retrieve sensitive intranet resources and then relay the content onward as an uploaded image.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file's behavior materially exceeds the skill's declared purpose: instead of only sending Feishu cards, it accepts callback payloads and performs MoviePilot subscription creation using stored credentials. This hidden cross-system action increases the attack surface and can let a card interaction trigger unauthorized state changes in another service, especially if callback provenance or user authorization is weak elsewhere in the flow.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
A card-sending skill invoking an external credential-store helper to fetch MoviePilot credentials is an unnecessary privileged capability for the stated purpose. This broadens trust boundaries and means a callback handler can retrieve tokens for another system, which becomes dangerous if the handler is reachable with attacker-controlled inputs or if account binding is weak.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The description frames this as a Feishu card callback handler, but the operative code creates MoviePilot subscriptions. Security-relevant functionality that is mislabeled or underdeclared is dangerous because reviewers, operators, and policy systems may grant it permissions under false assumptions, leading to over-privileged deployment and missed controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages sending structured card content to users or groups but does not clearly warn that user-provided or system-generated data will be transmitted to an external Feishu tenant. Without a disclosure step, sensitive content could be sent to unintended recipients or external parties with insufficient user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states it will source credentials from CLI arguments, environment variables, and a local config file, but does not clearly warn users that it reads sensitive secrets from the environment and filesystem. This lack of transparency is risky because operators may invoke the skill without realizing it can access and use privileged application credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The job file persists user identifiers, account identifiers, and arbitrary payload content to disk in a workspace path without any minimization, retention control, or protection shown here. If the host, workspace, or queue directory is readable by other users/processes, sensitive notification contents and identifiers could be exposed or retained longer than intended.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code performs the actual server-side download of attacker-supplied poster URLs and uploads the retrieved bytes to Feishu without validation of destination safety or source trustworthiness. In practice, that means internal-only responses fetched via SSRF could be repackaged and exfiltrated to an external service under the bot’s credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal