飞书 Agent 配置助手

Security checks across malware telemetry and agentic risk

Overview

This is a local helper that prints Feishu/OpenClaw configuration snippets, with the main caution that it displays the provided App Secret in clear text.

Use this only in a private terminal. Treat the Feishu App Secret as a credential: do not paste real values into shared chats, screenshots, logs, or source control, and rotate the secret if it is exposed. Review the generated openclaw.json changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly asks users to provide an App Secret to generate configuration, but it does not warn users that this value is a credential that must be handled carefully, redacted from logs, and not retained unnecessarily. In an agent-skill context, requesting secrets without clear safeguards increases the risk of accidental disclosure through chat history, telemetry, screenshots, or copied config snippets.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script prints the provided appSecret directly into terminal output as part of a generated JSON snippet. This can expose credentials through shell history capture, terminal scrollback, screen sharing, logging systems, or copied transcripts, which is especially risky because the secret is intended for persistent authentication.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal