ClawHub

Save Douyin Video To Feishu Drive

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it asks users to persist Feishu credentials and enables cloud uploads with incomplete permission and secret-handling guidance.

Review before installing. Use a dedicated Feishu app and a dedicated Drive folder with only the permissions required for upload, avoid storing app_secret or tenant tokens in TOOLS.md or chat history, and require confirmation before automatic uploads. The behavior is not deceptive, but the credential persistence and cloud write authority are high-impact enough to warrant Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to obtain and pass Feishu app credentials and derive a tenant access token, but it provides no warning that app_secret and access tokens are sensitive secrets. This can lead users to paste long-lived credentials into shells, logs, chat transcripts, or skill configuration files, enabling unauthorized access to Feishu resources if exposed.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill offers downloading remote video content to a local path without warning about where files will be written, overwrite behavior, disk usage, or handling of untrusted file destinations. In practice this can cause accidental overwrites, storage exhaustion, or writing sensitive media to unintended locations on shared systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal