ClawHub

feishu-multi-agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Feishu multi-agent setup guide, but it asks agents to run persistent automation with cross-workspace file access, automatic git publishing, and proactive messaging without enough safety controls.

Install only if you deliberately want persistent Feishu-connected agents that can act across workspaces, run recurring jobs, modify repositories, and send messages. Use dedicated non-sensitive workspaces and repositories, least-privilege Feishu bots, manual review before git push or public messaging, strict task-queue paths, and review or disable every cron job before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The heartbeat directs an agent to autonomously run git pull, develop, commit, and push in a continuous loop. This creates ongoing repository modification and outbound network activity without explicit approval gates, branch restrictions, or safeguards against bad commits, data leakage, or destructive changes.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guidance tells an agent to generate unsolicited user-facing social content, including '发一张自拍', when no task exists. That extends the skill from orchestration into autonomous impersonation/content generation and can cause reputational harm, policy violations, or deceptive interactions if users are not clearly informed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs a supervisory agent to write files into other agents' workspaces via bash as a workaround for sandbox restrictions. This enables cross-workspace modification and delegated task injection while downplaying the security significance, which can surprise operators and weaken isolation expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The heartbeat tells agents to keep working indefinitely and perform git pull/commit/push automatically, but does not clearly warn that this causes continuous code changes and network operations until stopped. In practice this can lead to unattended drift, accidental publication, and hard-to-audit automated actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cron examples configure recurring autonomous jobs, including user-facing messaging, without a strong warning that they will continue running until disabled. This can cause persistent unattended behavior, repeated outbound actions, and operator confusion about why agents continue acting over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal