ClawHub

File Monitor Feishu Notify

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it sets up background file monitoring and automatic Feishu sharing with weak user-control, privacy, and shutdown guidance.

Install only if you intentionally want a background process to watch a narrow, non-sensitive folder and send file names, sizes, timestamps, and local paths to a Feishu group. Use least-privilege Feishu credentials, protect config.json, avoid broad document or cloud-sync folders, do not follow the GitHub token-in-URL instruction, and verify the missing launcher/HEARTBEAT setup before enabling automatic startup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'msg_req' from open (line 82, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
msg_req.add_header('Content-Type', 'application/json')
        msg_req.add_header('Authorization', f'Bearer {access_token}')
        
        with urllib.request.urlopen(msg_req, timeout=10) as resp:
            msg_result = json.loads(resp.read().decode('utf-8'))
        
        if msg_result.get('code') == 0:
Confidence
80% confidence
Finding
with urllib.request.urlopen(msg_req, timeout=10) as resp:

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The uninstall instructions use `taskkill /F /IM python.exe`, which forcibly terminates all Python processes on the host rather than only this skill’s monitor/sender processes. This can disrupt unrelated applications, automation, developer workflows, or security tooling, making it an unjustified host-wide destructive action for a simple notification skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document instructs users to embed a GitHub personal access token directly in the `git push` command URL. This can expose credentials through shell history, process listings, screenshots, logs, clipboard history, or accidental copy/paste into shared channels, leading to repository compromise if the token is reused or overprivileged.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that newly detected files are automatically sent to a Feishu group, but it does not clearly warn users that local file content or metadata may be transmitted to an external service. For a file-monitoring skill, this omission increases the risk of accidental disclosure of sensitive documents from the watched directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation and startup sections instruct users to deploy and run the skill without a clear warning that it continuously monitors a directory and automatically forwards newly detected files to Feishu. This creates a meaningful risk of users enabling persistent exfiltration-like behavior without informed consent or understanding of the privacy consequences.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README instructs users to place `app_secret` directly in `config.json` without warning about protecting that credential. While common in setup docs, omission of secret-handling guidance can lead to accidental exposure through source control, logs, backups, or shared skill directories.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description says the skill is automatically activated by file monitoring and a HEARTBEAT daemon, but it does not clearly define scope, start conditions, stop conditions, or whether it runs continuously in the background. Ambiguous activation semantics are risky for a monitoring-and-exfiltration workflow because users may not realize when surveillance and outbound notifications are active.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description presents file monitoring and Feishu notification as convenience features but does not prominently warn users that files in the watched directory may be automatically detected and their contents or metadata sent to an external chat system. In this context, the omission is dangerous because the configured watch path appears to be a cloud-synced document directory, increasing the chance of sensitive or personal data being transmitted without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal