ClawHub
Back to skill

Security audit

可接入飞书的senseaudio角色扮演助手

Security checks across malware telemetry and agentic risk

Overview

The skill’s Feishu voice-companion purpose is coherent, but it broadly processes private chat content and silently installs a Python package during runtime.

Review before installing. Use a dedicated low-permission Feishu bot, restrict it to intended chats, assume voice audio and generated replies may be processed by SenseAudio and Feishu, and preinstall pinned dependencies instead of allowing runtime pip installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        pass

    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", pip_name],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
Confidence
94% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", pip_name], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        pass

    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", pip_name],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
Confidence
92% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", pip_name], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        pass

    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", pip_name],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
Confidence
95% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", pip_name], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares powerful capabilities in its content and workflow—environment variable access, local file persistence, shell execution, and outbound network use—but does not declare permissions accordingly. This weakens review and consent boundaries because operators may enable a skill without understanding that it stores persona/audio data locally and sends content to Feishu and SenseAudio. In this context, the mismatch is more concerning because the skill handles private chat content and voice data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description promises an automatically triggered Feishu companion flow, but the documented behavior is actually a set of manual CLI operations, local persistence, and external ASR/TTS calls. That mismatch is security-relevant because users and reviewers may misunderstand what data is stored, when the skill runs, and what external services receive chat or audio content. The hidden persistence of persona/audio artifacts especially increases privacy and governance risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Dynamically installing Python packages during execution is not required for ASR functionality and introduces avoidable supply-chain risk. It also permits unexpected environment changes at runtime, which is particularly risky in agent or bot deployments where code should be deterministic and pre-vetted.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Auto-installing Python packages during normal execution is not required for the stated Feishu voice reply function and causes the skill to change its own execution environment. This behavior can introduce malicious or vulnerable dependencies at runtime and makes deployments non-reproducible and harder to audit.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-installing Python packages at runtime is not necessary for normal TTS functionality and introduces code execution through package installation. A compromised package source, dependency confusion event, or accidental installation of an unexpected version could lead to arbitrary code execution on the host. The companion-chat context makes this more dangerous because the skill otherwise only needs network I/O and audio processing, not software installation privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that user voice is transcribed by SenseAudio ASR and replies are synthesized through external services, but it does not mention any user-facing notice, consent flow, or data handling expectations. In a private-chat companion context, users may share highly sensitive emotional or personal content, so undocumented third-party transmission increases privacy and compliance risk.

Vague Triggers

High
Confidence
84% confidence
Finding
The skill is described as triggering on any text or voice message in Feishu bot private chats, which is overly broad for a feature that forwards content to external ASR/TTS services and stores persona state. Broad triggers increase the chance of processing sensitive or unintended content without meaningful user intent on each message. In a companion-chat context, this is especially risky because conversations are likely to contain emotional, personal, or confidential material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes persistent storage of persona data and transmission of user text/audio to external services, but provides no privacy notice, retention policy, or explicit data-handling warning. This creates a real privacy vulnerability because highly personal conversations and voice samples may be stored locally and sent off-platform without informed consent. The companion/roleplay use case makes this more dangerous, not less, because users may disclose intimate information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function uploads user-provided audio to a third-party ASR service without any visible consent, disclosure, minimization, or trust-boundary checks in this code path. In a companion/voice-chat skill, audio can contain highly sensitive personal or emotional content, so undisclosed external transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code changes the runtime environment by installing a package via subprocess without prior operator approval in the execution flow. Silent environment mutation reduces deployment predictability and opens a path for unwanted package retrieval from external sources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill changes the execution environment by installing packages without any user or administrator-facing confirmation. Silent package installation undermines transparency and can surprise operators, making unsafe state changes harder to detect and review. Combined with pip's ability to execute package setup/build logic, this becomes a meaningful security concern rather than just a UX issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal