ClawHub

Feishu Skills Kit 飞书技能全集

Security checks across malware telemetry and agentic risk

Overview

This Feishu integration kit is mostly purpose-aligned, but it contains unsafe shell command construction and remote write scripts that can act without clear user control.

Install only if you are comfortable reviewing and constraining a broad Feishu automation kit. Before use, remove or fix the Bitable sample scripts, replace shell-based execSync dispatch with argument-array subprocess calls or direct module calls, use least-privilege Feishu app scopes, avoid uploading secrets or private files, and enable the bridge/autostart and cross-group memory features only for approved chats and accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill markets itself as a complete 10-skill Feishu kit, but the visible content does not substantiate several claimed capabilities. This mismatch can mislead users into installing and trusting a broader integration surface than is actually present, reducing auditability and making hidden or later-added behavior easier to smuggle in under an overbroad description.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The handler constructs a shell command with untrusted event-derived values (`userOpenId` and especially `menuKey` embedded in `replyText`) and executes it via `execSync`. If an attacker can control menu event fields or trigger malformed webhook payloads, shell metacharacters can break out of the quoted arguments and cause arbitrary command execution on the host.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This wrapper is not actually safe because it constructs a shell command string and passes user-controlled values such as --target, --color, and especially --title into execSync with only double-quote wrapping. In a shell context, quoting alone is not sufficient to neutralize command substitution and other shell metacharacter behaviors, so an attacker who controls these fields can potentially execute arbitrary commands on the host running the skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reads local OpenClaw session metadata from a user home directory to auto-discover Feishu groups, which expands its data access beyond the obvious Feishu API scope. Even if used for convenience, this creates an unexpected local data boundary crossing and may reveal or infer group identifiers from unrelated local agent state without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill accepts arbitrary event text and writes it into workspace files and daily logs, enabling persistence of potentially sensitive or untrusted content outside the stated recall/search function. This broadens the skill from read-only cross-group recall into local data modification, which can leak private information into project files or poison downstream workflows that consume those logs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The capability table declares only text messaging and chat/member lookup, but later sections also instruct image and file upload. This mismatch can mislead operators and reviewers about what data the skill may transmit externally, increasing the risk of unreviewed data exfiltration or unsafe use.

Scope Creep

High
Confidence
94% confidence
Finding
The skill documents file and image upload operations that exceed the permissions disclosed in its own permission table. In an agent setting, understated permissions are dangerous because users may authorize or invoke the skill without realizing it can send binary content and documents to Feishu, enabling unintended external data transfer.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Overly broad triggers such as generic platform terms can cause the skill to activate during ordinary conversation, leading to unintended invocation of networked or credentialed functionality. In a skill tied to messaging, documents, and external APIs, accidental activation increases the chance of data disclosure or unintended actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script performs a real write operation to a Feishu Bitable by creating a record immediately when executed, using hardcoded target identifiers and sample content, without any confirmation prompt, dry-run mode, or clear user warning. In an agent-skill context, that is dangerous because a user or higher-level automation may trigger it expecting inspection or preparation, but the skill will silently modify remote data and can create unintended records in production tables.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes sending interactive cards to Feishu/Lark but does not warn users that message text, markdown, attachments, and recipient metadata are transmitted to an external third-party service. This omission can lead users to unknowingly send sensitive code, logs, credentials, or internal business data outside their local environment, especially because the examples encourage sending rich content and files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This subprocess invocation passes event-derived data into a shell command without any sanitization boundary, so the core issue is not merely lack of disclosure but unsafe command construction. In this Feishu webhook context, externally influenced event content reaching `execSync` materially increases the risk of command injection and unintended system command execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When card sending fails, the code automatically retransmits the message body as plain text to the same remote endpoint without explicit user consent. This can bypass the user's expectation that a failed send prevented disclosure, and it also weakens the secret-scanning control because the fallback path does not re-run or enforce equivalent checks before sending.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The comment explicitly states that strict length checks were removed to allow longer prompt-injection content via CLI arguments. Even though this is a comment, it documents developer intent to permit adversarial payload delivery into a messaging workflow, which materially increases abuse risk in an agent skill context where CLI-provided content may come from untrusted prompts or tool invocations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code launches a subprocess using user-influenced parameters without any meaningful safety boundary, confirmation, or validation, which is risky in an agent skill where inputs may come from prompts, chat content, or untrusted automation. In this context, the main issue is not just lack of warning but that subprocess execution is performed through a shell, amplifying the chance of command injection and unsafe downstream behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly guides document creation, editing, and reading via API but does not warn that these actions can modify existing enterprise documents or expose document contents. In an agent-skill context, omission of such safety framing can lead users or downstream agents to perform sensitive reads/writes without confirming authorization or scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users how to obtain and use a tenant access token, including submission of app_id and app_secret, but do not warn that these are sensitive credentials. In practice, agent users may paste real secrets into chats, logs, or scripts, creating a clear risk of credential leakage and subsequent unauthorized API access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows how to retrieve and use app_secret and tenant_access_token but does not warn that these values are sensitive credentials that should not be echoed, committed, or captured in shell history and logs. In a troubleshooting guide, readers commonly copy-paste commands directly, so omission of secrecy guidance materially increases the chance of credential exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide recommends curl -v for debugging without warning that verbose mode can print Authorization headers, request metadata, and potentially sensitive response bodies. This can leak bearer tokens and document contents into terminals, CI logs, screen recordings, or support tickets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The test script hardcodes APP_SECRET and prints a token prefix, encouraging insecure secret handling and partial credential disclosure. Hardcoded secrets are often copied into repositories or shared snippets, and even partial token output can aid correlation and accidental disclosure during debugging.

Missing User Warnings

High
Confidence
99% confidence
Finding
The logging example writes request bodies and responses directly to a log file without warning that they may contain bearer tokens, document text, identifiers, or other sensitive data. Persistent logs greatly increase exposure because they are often backed up, aggregated, and accessed by broader audiences than the original runtime context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a direct example for obtaining a tenant_access_token using app_id and app_secret, but it does not warn that the app_secret and resulting token are sensitive credentials. In practice, users often paste such commands into shared terminals, shell history, logs, screenshots, or troubleshooting threads, which can expose secrets and enable unauthorized API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly advertises permission changes and destructive document operations such as removing collaborators and deleting blocks, but it does not warn users that these actions can revoke access or permanently alter content. In an agent context, missing safety cues increase the chance of unintended high-impact actions being taken automatically or with insufficient confirmation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description contains very broad activation triggers such as generic Feishu doc/docx links and broad phrases like 'write to Feishu doc' or 'generate a Feishu doc'. Overly broad triggers can cause the skill to activate in unintended contexts, increasing the chance of unreviewed document writes or destructive operations being suggested when the user did not explicitly request them.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description and trigger conditions are broad enough to activate on ordinary leave-related conversation, which can cause the agent to enter a workflow that gathers sensitive HR and health-related information and prepares a real approval submission without sufficiently narrow user intent. In this context, over-broad activation is more dangerous because the skill is action-oriented and operates against a workplace system, increasing the risk of unintended data collection or unintended leave-request initiation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables searching messages, generating digests, and sharing events across all Feishu groups and DMs, but the documentation does not warn users about the privacy implications or the breadth of data access. This creates a real risk of unauthorized cross-group surveillance, accidental disclosure of sensitive conversations, and use beyond the expectations of participants in separate groups.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal