ClawHub

Feishu lark-cli Setup Guide

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Feishu setup purpose, but it creates an ongoing background token-refresh job for broad Feishu access without clear opt-in, expiry, or disable instructions.

Install only if you want an agent to configure broad Feishu/Lark account access and maintain it with a scheduled refresh job. Before running Step 3, confirm the cron schedule, timezone, account/app being refreshed, and how you will disable or delete the job later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to create a recurring cron job that refreshes Feishu auth tokens indefinitely, but it does not require explicit user consent or clearly warn that background access to the user's Feishu account will be maintained over time. In this context, the token being refreshed can preserve broad access across documents, mail, calendar, messages, and other enterprise data, so the omission meaningfully increases privacy and persistence risk.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding the cron timezone to Asia/Shanghai can cause the refresh task to run at an unexpected local time, undermining user awareness and consent about when background access is maintained. While this is not a direct privilege-escalation issue, it can lead to surprising persistence behavior and operational mistakes, especially for users outside that locale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal