ClawHub

feishu-doc-reviewer

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can make live Feishu document changes and includes under-disclosed or unsafe write paths that users should review before installing.

Install only if you trust the publisher and can restrict the Feishu app to the specific documents you intend to edit. Avoid using run-tool.sh until its argument handling is fixed, and require the agent to preview changes before updating, deleting, summarizing, replying to, or resolving Feishu comments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill explicitly describes reading environment variables for Feishu credentials and performing network operations against Feishu APIs, but it does not declare any permissions. This weakens security review and consent boundaries because an agent or platform operator cannot accurately understand that the skill can access secrets and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose is limited to document read/write and comment handling, but the finding indicates the skill can also auto-generate summaries, insert new blocks at the document start, and create an editing baseline/schema. That mismatch is dangerous because it hides materially broader write behavior, increasing the chance of unauthorized content injection or document manipulation beyond what a user expects.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes an additional capability to prepend a generated summary to the beginning of a document, which goes beyond the stated scope of comment review and paragraph read/write. In an agent setting, unnecessary write capabilities increase the blast radius: a caller expecting narrow review operations could instead modify document structure and content globally, leading to unauthorized or surprising changes.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code can automatically inspect document structure and synthesize a summary that is then written into the document, effectively enabling content generation and broad document rewriting not directly justified by the review-comment workflow. In a document-editing agent, this makes prompt injection and accidental over-editing more dangerous because the model can alter prominent document content based on inferred structure rather than explicit user-approved edits.

Unvalidated Output Injection

High
Category
Output Handling
Content
try:
            response = requests.post(url, headers=self._get_headers(), json=payload)
            print(f"Insert blocks status: {response.status_code}")
            print(f"Insert blocks response: {response.text[:500]}")
            response.raise_for_status()
            return response.json()
        except Exception as e:
Confidence
80% confidence
Finding
f"Insert blocks response: {response

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
mcp>=1.0.0; python_version>="3.10"
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
mcp>=1.0.0; python_version>="3.10"
Confidence
90% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

Known Vulnerable Dependency: mcp — 3 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to )

High
Category
Supply Chain
Confidence
91% confidence
Finding
mcp

Tool Parameter Abuse

High
Category
Tool Misuse
Content
"""
        删除块内容(通过清空内容实现)
        
        注意:飞书 docx API 没有直接的 DELETE /blocks/{block_id} 接口。
        实际做法是用 PATCH 更新块,将内容设置为空字符串。
        
        Args:
Confidence
86% confidence
Finding
DELETE /blocks/{block_id}

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal