ClawHub

Create a Deep Research Feishu Doc

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent Feishu research-and-upload purpose, but it instructs the agent to expose live Feishu access tokens and secrets in chat while making authenticated cloud-document changes.

Review before installing. Use only with a least-privilege Feishu app and a non-sensitive target folder, and do not paste App Secret or allow tenant_access_token, file tokens, tickets, or document tokens to be printed in chat. Prefer a managed secret store and masked status output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly requires the agent to print live Feishu tenant access tokens, file tokens, tickets, and document tokens in user-visible output. Those values are operational secrets or sensitive identifiers that can enable unauthorized API access, file manipulation, or document discovery if exposed in chat logs, telemetry, or screenshots. In the context of a research-and-upload skill, revealing these secrets is unnecessary and materially increases risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to fetch Feishu App ID and App Secret from configuration and, if unavailable, ask the user to provide them directly. This expands the skill from document generation into credential acquisition and handling, increasing the chance of secret exposure in prompts, transcripts, or downstream tools. The context makes this more dangerous because the same skill also normalizes direct API usage and visible reporting of sensitive values.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directly instructs disclosure of raw Feishu access tokens and related document/file tokens in output. This is dangerous because bearer-style tokens can often be reused by anyone who sees them, and document identifiers can facilitate unauthorized access or targeted abuse. The disclosure is not needed to satisfy the user's business goal of generating and uploading a report.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Reading App ID/App Secret from configuration and using them in API calls without clear user disclosure or consent creates a hidden credential-use pathway. While backend secret use can be legitimate, this skill combines it with aggressive direct API execution and secret-reporting behavior, making accidental leakage or misuse more likely. The absence of explicit warning or guardrails makes this a true security concern rather than a harmless implementation detail.

Ssd 3

High
Confidence
99% confidence
Finding
The skill mandates revealing live access tokens and document identifiers in user-visible status output, which is a classic sensitive-data disclosure issue. This is especially dangerous because the exposed values are fresh, actionable, and tied to external APIs and cloud documents, so compromise can occur immediately via copied logs or observer access. The surrounding workflow reinforces and normalizes this unsafe behavior.

Ssd 3

High
Confidence
98% confidence
Finding
The example includes a full bearer-style tenant access token in sample output, which trains operators and users to accept secret disclosure as normal behavior. Even when illustrative, embedding realistic secret formats increases the likelihood of copy-paste leakage, unsafe implementation, and poor review hygiene. In a skill that already instructs direct API calls, this materially elevates the chance of real-world credential exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal