ClawHub

Feishu Wiki Query

Security checks across malware telemetry and agentic risk

Overview

This Feishu wiki query skill mostly matches its stated purpose, but it embeds real-looking Feishu app credentials and adds outbound upload/message-sending flows that are broader than a normal read-only query skill.

Review before installing. Do not use the bundled Feishu credentials; they should be revoked and replaced with your own securely managed credentials. Remove or verify the prefilled knowledge-base config. Only allow image upload, message sending, or sheet access after explicit user approval, with known recipients and minimal Feishu permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as a knowledge-base query/read capability, but it also includes instructions and code to upload and send images to users via Feishu messaging. That expands the skill from passive retrieval into active outbound communication and data transmission, creating a path for exfiltration of document contents outside the current interaction context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
For a skill framed as document querying, requiring the broader `sheets:spreadsheet` permission instead of a read-only scope violates least privilege. Broader spreadsheet permissions increase the blast radius if the skill or its credentials are abused, potentially enabling modification or broader access beyond simple reading.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains hardcoded Feishu `app_id` and `app_secret` used to obtain a tenant access token. Embedded credentials in skill content are highly sensitive because anyone with access to the skill can reuse them to mint tokens and access Feishu APIs under the application's privileges.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill documentation instructs use of direct `curl` and `requests` calls to multiple external APIs beyond the core wiki read flow. This broadens the operational surface and encourages network actions and token use that exceed the narrow expectation of a knowledge-base query skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill persists user-supplied knowledge base configuration to a local file without clearly warning about local storage of URLs, names, and derived identifiers. Storing user configuration on disk can create privacy and integrity risks, especially in shared or insufficiently isolated environments.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The instructions describe downloading images and accessing external Feishu endpoints with bearer tokens, but do not provide clear privacy, consent, or network-transmission warnings. This can lead to sensitive document media or tokens being handled externally without sufficient user awareness or operational safeguards.

Missing User Warnings

High
Confidence
95% confidence
Finding
The embedded script reads a local file, uploads it to Feishu, and sends an image message to a recipient, but the skill does not present this as a sensitive outbound action requiring explicit user notice and consent. That creates a clear risk of unintended disclosure of document-derived content and misuse of messaging capabilities.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to send retrieved knowledge-base images to a user through Feishu messaging. In the context of a document-query skill, this is especially dangerous because it creates a natural exfiltration path for potentially sensitive enterprise content outside the current chat and beyond the expected read-only scope.

VirusTotal

No VirusTotal findings

View on VirusTotal