Wcs Helper Feishu Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Feishu chat admin helper that can change OpenClaw settings, restart the service, and use Feishu credentials without visible authorization or confirmation controls.

Install only if you intend to let trusted Feishu users administer your OpenClaw Feishu configuration from chat. Before enabling it, restrict who can message or invoke the bot, add confirmation for restart and other state-changing commands, review the local Feishu credential and /tmp token handling, and remove or tightly allowlist the generic shell execution helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ]) def cmd_restart(): subprocess.run(["openclaw","gateway","restart"], capture_output=True, timeout=10) return make_card("🚀 重启中", [ md("**重启指令已发出**"), hr(),
Confidence: 82% confidence
Finding: subprocess.run(["openclaw","gateway","restart"], capture_output=True, timeout=10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 降级方案：返回模拟结果 # 实际部署时应该使用真实的 ctx.exec import subprocess process = subprocess.run( command, shell=True, capture_output=True,
Confidence: 98% confidence
Finding: process = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30 )

Tainted flow: 'req' from open (line 20, file read) → urllib.request.urlopen (network output)

High

Category: Data Flow
Content: headers={"Content-Type": "application/json", "Authorization": f"Bearer {get_token()}"}, method="POST") try: with urllib.request.urlopen(req, timeout=15) as r: return json.loads(r.read()).get("code") == 0 except urllib.error.HTTPError as e: print(f"HTTP {e.code}: {e.read().decode()[:100]}", file=sys.stderr)
Confidence: 80% confidence
Finding: with urllib.request.urlopen(req, timeout=15) as r:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises capabilities that can read and modify configuration files, invoke shell actions, restart services, and perform network-related diagnostics, but it declares no permissions or trust boundaries. This creates a real security issue because users and the platform cannot accurately evaluate or constrain the skill's access, and the described commands imply privileged state-changing operations triggered from chat.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill reads app credentials from the user's OpenClaw config and performs direct Feishu authentication, which is broader than the advertised role of a simple plugin-configuration helper. This matters because the skill now has access to tenant-scoped messaging credentials and can interact with an external service, increasing the consequences of misuse or compromise.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The manifest describes simple command-based plugin control, but this code also sends direct Feishu interactive cards/messages. That capability mismatch is security-relevant because users and reviewers may underestimate what the skill can do, and a messaging feature can be abused for phishing, spam, or unauthorized communications if access controls are weak.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This utility exposes generic system command execution even though the skill is described as a Feishu configuration helper. That mismatch increases risk because a chat-triggered admin helper can become a general-purpose remote execution surface, especially in an agent context where commands may be composed from user requests.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The auto-fix feature is described as automatically killing processes, modifying system state, and addressing disk issues, but it provides no warning about what will be changed, what processes may be terminated, or what safety checks exist. In a chat-invocable skill, this is dangerous because a user may trigger destructive remediation without understanding side effects, potentially causing outages, data loss, or interruption of unrelated services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The restart command explicitly restarts the OpenClaw service but does not warn users that service interruption will occur or that active sessions may be dropped. Because the skill is invoked through simple chat commands, the low friction of execution increases the risk of accidental denial of service or disruption at inappropriate times.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal