ClawHub

飞书消息直接发送文件

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Feishu file-sending skill, but it gives agents broad local file discovery and batch-upload patterns without strong confirmation safeguards.

Install only if you trust the agent environment and will keep file sending tightly user-directed. Use explicit file paths, verify the Feishu recipient or channel, avoid sensitive or regulated files, and do not allow broad directory scans, automatic compression, previews, or batch sends without reviewing and approving each file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes an `exec` example that enumerates workspace files via shell and then batch-sends selected results, which expands the skill from 'send a specific file' into filesystem discovery and bulk exfiltration. In an agent context, even read-only enumeration of local files is sensitive because it helps identify potentially confidential documents for onward transmission to an external platform.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented workflow instructs the agent to create arbitrary local files before sending them, which exceeds the narrow purpose of transmitting an existing attachment. This broadens capability unnecessarily and can enable staging, transforming, or packaging data for exfiltration rather than simply forwarding a user-designated file.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes direct sending of local files and batch sending, but provides no warning or guardrails about accidental disclosure of sensitive local data. In a skill whose core purpose is transmitting attachments to an external messaging platform, omission of privacy, destination verification, and file-selection cautions materially increases the risk of unintended data exfiltration by users or downstream agents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly enables direct transmission of local files through Feishu but does not require recipient confirmation, sensitivity classification, or a user-facing disclosure warning before exfiltrating local data. In this context, the capability is legitimate, but the missing guardrails make accidental disclosure of confidential local files materially more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The core example shows how to send a local file attachment to Feishu but omits an explicit warning that the file's contents leave the local environment and are transmitted to an external messaging service. In agent workflows, this omission is dangerous because users or downstream agents may treat 'send file' as a local operation and accidentally disclose sensitive data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The batch-send example normalizes sending multiple local documents to an external platform without any caution about aggregate data loss risk, mistaken file selection, or over-sharing. Bulk transmission materially increases impact because a single workflow can disclose many files at once, including unrelated or sensitive workspace contents.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill recommends reading local file contents and embedding a preview into the outbound message before sending the attachment. That creates a second disclosure channel and can leak sensitive content from user-provided or confidential files into chat text, logs, notifications, or message history even when only the attachment was intended to be shared.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal