ClawHub

Feishu Doc Collab

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to automate Feishu document collaboration, but it needs Review because Feishu edits can automatically start a local agent with document read/write authority after a persistent host patch.

Install only if you are comfortable modifying the OpenClaw Feishu extension and allowing Feishu document or Bitable edits to automatically start agents that can read and write through your Feishu app permissions. Use a dedicated Feishu app with access limited to intended documents and tables, keep the backup, protect and rotate the hooks token, and add allowlists or confirmation gates before using it in broad workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires environment and network capabilities but does not clearly declare them, while also reading local configuration from ~/.openclaw/openclaw.json and posting to a local hooks endpoint. Hidden capability requirements reduce transparency and make it easier to deploy a skill that can access secrets or trigger actions without operators fully understanding its privilege needs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is document collaboration, but the behavior includes patching host extension files, reading local config for hook credentials, and routing events into /hooks/agent. This mismatch is dangerous because users may authorize what appears to be a document helper while actually installing a host-level modification that can affect broader Feishu event handling and create unintended execution paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The handler responds to remote Feishu edit events by reading a local user configuration file, extracting a bearer token, and invoking a privileged localhost agent hook. This creates a trust-boundary crossing from external document activity into local agent execution, which can be abused to trigger unintended autonomous actions, consume local capabilities, or cause the local agent to access and modify documents without an explicit user confirmation step.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger list contains broad phrases for automatic activation around document collaboration, increasing the chance the skill runs in situations the user did not narrowly intend. In a skill that auto-reads edited documents and appends AI replies, ambiguous triggers raise the risk of unintentional data exposure and surprise automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description emphasizes convenience but does not prominently warn that every qualifying document edit can cause automatic document reads and inline writes. In a collaborative document environment, that omission is risky because users may place sensitive content in a doc without realizing edits trigger agent processing and response generation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently reads user-specific local configuration, extracts a hook token, and transmits it in an Authorization header to a localhost HTTP service whenever a remote collaboration event occurs. Even though the destination is loopback, this is still a sensitive secret use and an undisclosed bridge from remote content into local privileged automation, increasing the risk of unauthorized agent execution, privacy violations, and local service abuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal