ClawHub

Feishu Openapi Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Feishu/Lark IM automation, but it can read chats, send messages, upload files, resolve users, and store inbound events with only partial consent guidance.

Install only if you intend to let an agent operate a Feishu/Lark bot app with access to chats, messages, files, and user lookup. Use least-privilege app permissions, keep secrets in environment-backed credential storage rather than inline shell commands, require human confirmation for sends/uploads/replies, and protect or rotate any subscription sink files that capture inbound messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill enables outbound message sends, replies, file/image uploads, and subscription sink writes, but it does not prominently warn operators about privacy, data leakage, or accidental destructive/irreversible communication effects. In an agent setting, this can lead to unintended transmission of sensitive content to chats, storage of inbound message data on disk, or misuse of reply/send operations without explicit user confirmation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The OpenAPI description advertises broad IM and contact-management capabilities but provides no indication of invocation boundaries, allowed use cases, or user-confirmation requirements. In an agent setting, this can enable overbroad access to chats, members, messages, and user profiles, increasing the risk of unauthorized data retrieval or outbound messaging if the agent is prompted to act without sufficient policy checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This schema exposes sensitive capabilities including sending messages, replying, uploading files/images, reading message history, and resolving user identities from emails or mobile numbers, yet it contains no user-facing warning or consent mechanism around privacy or external data transmission. In agent workflows, that combination makes data exfiltration, unsolicited messaging, and privacy-invasive lookups materially more dangerous because the API surface is action-ready and tenant-authenticated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manual fallback demonstrates passing `app_id` and `app_secret` directly in a shell command body, which can lead operators to expose sensitive credentials through shell history, terminal logging, copied transcripts, or process/accountability tooling. In this context the values are long-lived app credentials that can be used to mint tenant access tokens, so disclosure can enable unauthorized API access as the Feishu/Lark app.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal