ClawHub

Yuqing Data To Bitable

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real XiaoAi-to-Feishu sync skill, but it needs review because it can repeatedly modify Feishu data while under-declaring credentials, persistence, and secret-handling risks.

Review before installing. Use least-privileged Feishu and XiaoAi credentials, run it manually against a test Bitable first, protect the .env and .cache directories, avoid passing secrets on the command line where possible, and confirm whether any cron job or long-running sync is enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The troubleshooting guidance tells users to remove the lock file if it is older than 10 minutes, but it does not warn that a still-running process could legitimately hold that lock. Deleting the lock without verifying process state can cause concurrent executions, leading to data corruption, duplicate syncs, or inconsistent state.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manifest describes a data synchronization skill but does not define when it should be invoked or what conditions must be met before activation. In an agent environment, this ambiguity can cause the skill to run in unintended contexts and trigger external reads/writes without clear user intent, increasing the risk of accidental data transfer or modification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly pulls data from an external service and writes records into Feishu Bitable, but the manifest does not present a clear user-facing warning that data will be transferred across systems and that records may be created or modified. Because this involves outbound network access and persistent changes to a destination system, users or orchestrators may invoke it without understanding the privacy, compliance, or integrity impact.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tenant access token is written in plaintext to a predictable local cache file under .cache without file permission hardening, encryption, or user disclosure. If the host is shared, compromised, or backups/log collection expose the working directory, an attacker could reuse the cached token to access Feishu APIs with the app's privileges until expiry.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The main loop runs indefinitely and continuously fetches data from one remote service and writes records to another without any interactive confirmation, runtime guardrail, or user-facing notice about ongoing transmission. In environments where users do not expect persistent background exfiltration/synchronization, this can cause unintentional disclosure of fetched content and sustained unauthorized data movement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill accepts sensitive secrets such as app_secret and xiaoai_token as command-line arguments, which can be exposed through shell history, process listings, job runners, and orchestration logs. In an agent or automation environment, these values are especially likely to be captured by telemetry or visible to other local users, enabling unauthorized access to upstream APIs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The health-check function sources the .env file with `. "$SCRIPT_DIR/.env"`, which executes any shell code present in that file rather than merely validating configuration. If an attacker or untrusted process can modify .env, running a seemingly safe `health` command will execute arbitrary commands and load secrets into the shell context unexpectedly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script passes sensitive values such as APP_SECRET and XIAOAI_TOKEN as command-line arguments to python3. On many systems, process arguments are visible to other local users via tools like ps or /proc, which can leak credentials and enable unauthorized access to downstream services.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal