ClawHub

Feishu Cli Auth

Security checks across malware telemetry and agentic risk

Overview

This Feishu auth helper is legitimate in purpose, but it defaults to broad, long-lived user permissions that exceed many likely login or search tasks.

Review before installing. Use it only if you are comfortable granting the listed Feishu scopes, including write-capable calendar and task permissions, and a refresh token stored locally. Prefer narrowing scopes to the specific command you need, verify the feishu-cli binary source, protect ~/.feishu-cli/token.json, and revoke or delete the token when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly directs agents to request a maximal OAuth scope bundle unrelated to the immediate authentication task, violating least-privilege and materially increasing blast radius if the token is stolen, logged, or misused. Because the token includes long-lived refresh capability and broad read/write permissions across messaging, calendar, tasks, and chat management, compromise can extend well beyond the user's original intent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documented default policy normalizes overbroad privilege acquisition for an auth/token-management skill, encouraging persistent authorization to many unrelated APIs by default. In this context, the skill is especially risky because it manages OAuth tokens and stores them locally, so excessive scopes directly amplify the value of any compromised token.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough that the skill may be invoked for loosely related requests involving login, permissions, token expiry, or troubleshooting, increasing the chance that an agent initiates OAuth flows or token handling when not strictly necessary. In an auth skill, over-triggering is more dangerous than usual because it can lead to unnecessary credential generation, broader consent prompts, and accidental exposure of sensitive URLs or token state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents persistent storage of access and refresh tokens in a predictable local file path without adequately warning about the sensitivity of that file, local compromise risks, backup leakage, or permission hardening. Since refresh tokens can renew access for weeks, inadequate treatment of token.json can turn a local disclosure into prolonged account access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Recommending maximal authorization without any warning about least-privilege or the risks of high-privilege consent is unsafe guidance for a credential-management skill. It conditions both users and agents to over-consent, making any later token theft, misuse, or accidental use far more damaging than necessary.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal