ClawHub

飞书图片消息

Security checks across malware telemetry and agentic risk

Overview

This Feishu image skill matches its stated purpose, but it weakens HTTPS security while handling Feishu credentials, images, and message sending, so it should be reviewed before use.

Install only after reviewing or patching the script to restore normal HTTPS certificate and hostname verification. Use least-privilege Feishu app scopes, confirm the recipient and image before sending, avoid the view command for sensitive images, and choose download paths carefully because the script can create directories and write files at the requested location.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation advertises capabilities to read local image files and perform network operations against Feishu, but it does not declare permissions or provide any explicit permission boundary. This creates a trust and review gap: users or orchestrators may invoke the skill without understanding that it can access local files and transmit their contents to an external service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script globally disables TLS certificate and hostname verification for every Feishu API request, which allows a man-in-the-middle attacker on the network path to impersonate the Feishu API and intercept or modify credentials, image content, and message operations. In this skill context, the code handles app secrets, bearer tokens, image upload/download, and outbound messaging, so broken TLS directly undermines authentication and confidentiality for all core functions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation phrases are broad enough to match common image-related requests such as sending, uploading, downloading, or mentioning image_key, which increases the chance of unintended invocation. In this skill's context, accidental activation is more dangerous because the skill can read local files, download remote content, and send data over the network to Feishu.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes a 'get' flow that saves remote images to local storage and a 'view' flow that returns image content as base64 for AI inspection, but the description does not warn users about these privacy and data-handling consequences. This is especially risky because images may contain sensitive personal or business information, and base64 exposure makes that content directly available to downstream model processing.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The download function writes attacker-controlled remote content to any user-supplied local path and creates parent directories automatically, with no restrictions, overwrite safeguards, or confirmation. In an agent skill, this can be abused to place files in sensitive locations, overwrite user data, or facilitate later misuse if another component consumes the written file.

Missing User Warnings

High
Confidence
99% confidence
Finding
This finding is valid for the same reason as SDI-2: SSL certificate verification is intentionally disabled without warning, so users may believe requests are securely authenticated when they are not. Because the skill is specifically for Feishu image operations and token acquisition, insecure transport makes credential theft, content tampering, and spoofed responses materially more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal