飞书新机器人创建

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu/OpenClaw bot setup guide, but it asks an agent to handle app secrets and change local Gateway configuration with too little scoping and safety control.

Review this before installing unless you specifically want an agent to help create Feishu bots in this OpenClaw setup. Do not paste APP SECRET into chat unless that is acceptable for your environment; prefer a secret manager or environment variable, review the exact openclaw.json diff, back up the config, confirm each state-changing step, inspect copied AGENTS/TOOLS/USER/MEMORY content for private or stale instructions, and keep a revocation/removal plan for the new bot.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough that ordinary user requests like '新建一个机器人' or '新增bot' could invoke this skill without sufficient scoping or confirmation. Because the skill leads to handling sensitive credentials, filesystem changes, config edits, and service restarts, accidental activation could cause unauthorized or unintended operational changes.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal