ClawHub

Feishu Messenger

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill explains how to send user-chosen messages and files to Feishu, with no hidden code or automatic behavior, but users should review sensitive content before sending.

Install only if you intend to send Feishu messages from your configured OpenClaw environment. Before using file, screenshot, or log examples, verify the recipient ID or chat, redact secrets and personal data, and avoid sending confidential material unless it is approved for that Feishu destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to send text, images, and files to Feishu, which is an external messaging platform, but does not warn that potentially sensitive data will leave the local environment and be transmitted to a third party. In a messaging skill, this omission increases the risk of accidental data exfiltration because users may treat the command like a local file-handling action rather than an outbound sharing operation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to send screenshots, logs, and arbitrary files to an external Feishu recipient, but it provides no warning about sensitive-data exposure, third-party transmission, or the need to review content before sending. In an agent context, this omission increases the risk of accidental exfiltration of credentials, personal data, internal documents, or system details.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal