ClawHub

Article Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill matches its article-analysis purpose, but it needs review because it can monitor chat-shared URLs and store article-derived data in Feishu/Bitable without strong privacy, consent, or dry-run controls.

Review Feishu permissions, target chats, and Bitable tables before installing. Treat submitted URLs, fetched article content, summaries, reports, cover images, sender/message metadata, assignee IDs, local caches, and config backups as potentially persistent. Avoid sensitive or internal content unless users in the chat have notice and consent, replace all example credentials with clearly fake placeholders, and verify paths before running cleanup or bulk update commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (16)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The merge logic claims to preserve existing sensitive Bitable credentials, but the implementation starts from a shallow copy of the existing config and then assigns non-dict keys from the new config. In the bitable branch, if the new config contains additional keys or the structure differs, the behavior is brittle and can violate the documented guarantee, causing accidental overwrite or corruption of sensitive settings during upgrade or merge operations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The shell script comments and top-level path construction imply all file operations are confined to the skill directory, but the embedded Python cleanup code later derives its base path from `Path.cwd()` when `__file__` is unavailable. In a heredoc-executed Python snippet, `__file__` is typically not set, so running the script from an unexpected working directory can cause cleanup to read or rewrite a different `data/url_cache.json` outside the intended skill scope.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The inline comment claims the Python cleanup uses a safe relative path, but the code actually falls back to `Path.cwd()` and constructs `data/url_cache.json` from the current working directory. That means an attacker or caller controlling the launch directory could influence which cache file gets truncated or rewritten, creating unintended file modification outside the skill directory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that the workflow will create Feishu documents and archive results to Bitable, but it does not warn users that article content, summaries, metadata, and generated reports may be transmitted to external third-party services. This creates a data transparency and privacy risk: users may submit internal, proprietary, or personal-content URLs without realizing the data will be copied into external SaaS systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states that article analysis results are archived to Feishu Bitable and documents, but it does not clearly warn that user-provided URLs, fetched article content, summaries, tags, and generated reports may be transmitted to external Feishu services. This creates a real privacy and data-handling transparency issue, especially if users assume processing is local or confined to the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic processing of article links from group chats and heartbeat-triggered handling, but does not provide a clear warning that chat-shared URLs and derived content may be monitored, fetched, analyzed, and transmitted onward. In a group-chat context, this is more dangerous because participants other than the operator may not expect their shared links to be automatically processed or stored in external systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document includes real-looking Bitable app tokens and table IDs in JSON and shell examples, but does not label them as fake placeholders or warn users not to reuse or commit them. Even in documentation, publishing credential-shaped values can lead to accidental reuse, confusion about whether they are active secrets, and unsafe copy-paste into local configs or repositories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The uninstall section documents recursive deletion commands for the skill and related data/log directories without any explicit warning that these actions are irreversible and will destroy local state. In a migration guide, users may copy-paste these commands directly, increasing the chance of accidental data loss even if the paths shown are scoped to the skill.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The guide recommends running ./install.sh and copying a configuration template that will contain tokens, but it does not explicitly warn users to review the script before execution or protect the generated config.json as a secret. This omission can lead to unsafe execution of untrusted shell code or accidental exposure of credentials during migration and setup.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The guide advertises an automatic workflow that downloads images and uploads them to Feishu, but provides no warning about external network transfer or possible disclosure of article content and media. In a content-analysis skill, this matters because users may process proprietary, unpublished, or sensitive documents and not realize assets are being sent to a third-party platform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes an automation that reads Feishu group chat messages, extracts URLs, processes content, and posts summaries back to the chat, but it provides no privacy notice, consent model, data-retention guidance, or handling restrictions. In a messaging context, this can lead to unintended collection and redistribution of user-generated content and metadata, especially if participants do not expect automated monitoring of group messages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes a workflow that fetches arbitrary URLs and then sends derived content and metadata to external systems such as Feishu Docs and Bitable, but it does not clearly warn users that network access and third-party data transmission will occur. In an agent skill context, this can lead to unintended exfiltration of sensitive URLs, page contents, summaries, or titles if users assume analysis is local-only or do not realize archiving is automatic.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The document instructs users to auto-fill and persist a specific Feishu user open_id in the assignee field, but it does not clearly call out that this is personal identifier processing and storage. While this is expected functionality for a personnel field, the lack of disclosure and guidance on consent/minimization can lead to inadvertent handling of user-identifying data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide describes extracting an image URL from article content, downloading it, and uploading it to Feishu/Bitable without warning that this performs external network fetches and transfers content into another system. If the source content is untrusted, this can create privacy, copyright, and SSRF-like risk depending on how URL fetching is implemented.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The batch update example shows a command that adds assignees to all records, but it does not prominently warn that it will modify existing data at scale. In an automation skill context, undocumented bulk-write behavior increases the chance of accidental mass changes and assignment errors.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide prompts users to enter a Bitable App Token and then writes it to config.json, with backup to .config.backup.json, without clearly warning that a secret will be stored on disk. This increases the chance of credential exposure through local file disclosure, accidental commits, backups, or multi-user systems, especially because the backup duplicates the secret.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal