ClawHub

feishu-user

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Feishu document helper, but it gives an agent user-token access to read and change Feishu documents, so users should handle tokens and destructive actions carefully.

Install only if you want an agent to operate on Feishu documents under your user identity. Use the narrowest Feishu scopes that work, protect or remove ~/.config/claw-feishu-user/config.json when not needed, avoid shared machines, and require explicit confirmation before update or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that include network access and local file read/write behavior, but it declares no permissions. That creates a transparency and consent problem: a user or host system may authorize the skill expecting only document operations while the skill also stores tokens locally and contacts external OAuth endpoints. In an agent setting, undeclared capabilities materially increase risk because they can be exercised without clear user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description claims simple Feishu document read/create/write/append operations, but the content also covers OAuth token acquisition, token refresh, local credential persistence, and additional block-level modification and deletion actions. This mismatch can mislead users and automated reviewers about the true privilege scope and persistence behavior of the skill. In practice, hidden auth and storage behavior increases the chance of over-broad trust and unintended credential exposure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`write_doc` is documented and named as an overwrite operation, but it actually delegates to `append_doc`, causing new content to be appended instead of replacing existing content. In an agent skill, this semantic mismatch can lead to unintended disclosure, corruption, or duplication of sensitive document data because callers may trust the API contract and use it in destructive or compliance-sensitive workflows.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The helper is for token acquisition/refresh, but it declares document and search scopes unrelated to that narrow purpose. Overbroad scopes violate least privilege and make any stolen or misused token more damaging by granting unnecessary access to user documents and search capabilities.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples include overwrite and delete operations on documents and blocks without warning about irreversible data loss, versioning implications, or confirmation requirements. In a document-management skill operating on a user's personal cloud documents, destructive actions are especially sensitive because mistakes or prompt injection could cause loss of important content. The surrounding context makes this more dangerous, not less, because the skill is explicitly intended to modify user-owned data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The token auto-refresh instructions direct users to store access and refresh tokens in a predictable local path without any security warning about plaintext credential storage, file permissions, or compromise risk. If the local machine or account is exposed, those tokens could grant ongoing access to the user's Feishu documents. Because this is a user-token skill accessing personal cloud documents, local credential persistence meaningfully raises the blast radius of host compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores access and refresh tokens in a local JSON file under the user's home directory without setting restrictive file permissions or using a secure credential store. If the file is read by another local user, malware, backups, or other tooling, the tokens can be reused to access or refresh access to the victim's Feishu resources.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal