ClawHub

Feishu Contacts

Security checks across malware telemetry and agentic risk

Overview

This Feishu contact skill appears useful, but it handles and stores broad employee directory data with insufficient user-facing controls or disclosure.

Review before installing. Use this only with an authorized Feishu app and only if local storage of employee directory data is acceptable for your organization. Confirm where the cache is stored, how to delete it, what fields are cached or printed, and whether the app can be scoped to only the minimum directory access needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates capabilities that perform network access to Feishu APIs and persistent local file writes for the contact cache, but it does not declare permissions accordingly. This creates a transparency and governance gap: users or the hosting platform may not realize the skill can exfiltrate or persist employee directory data, which is especially sensitive in an enterprise context.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description says it is for searching contacts, but the implementation performs bulk directory synchronization, department traversal, member enumeration, and direct lookup capabilities. This materially expands access to organization-wide directory data and enables mass harvesting of employee identifiers beyond a narrow search workflow, increasing privacy and insider-abuse risk if the tool is misused or the host is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The get command retrieves and prints extra personal identifiers including union_id, enterprise email, and mobile number, which are not necessary for the stated purpose of finding open_id, email, or department info before messaging. Exposing these fields on stdout increases the chance of unauthorized disclosure, terminal logging leakage, and collection of sensitive employee metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly stores employee directory data in a persistent local cache, but the documentation does not present a user-facing warning about the privacy and security implications of retaining names, emails, department mappings, and potentially phone data on disk. On shared or insufficiently secured systems, this can lead to unauthorized access to internal directory information and stale copies of sensitive personnel data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The sync operation writes a complete local cache of users, departments, emails, and membership mappings to disk under the user's home directory without consent, retention controls, or permission hardening. Storing a bulk directory snapshot locally increases exposure if the endpoint is shared, backed up insecurely, or accessed by other local processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal