Feishu Interactive Cards

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu interactive-card integration that uses expected Feishu credentials, network calls, and callback handling, with some privacy and overuse cautions but no artifact-backed malicious behavior.

Install only if you intend to let this skill send Feishu messages using your configured Feishu app credentials and run a callback server that can forward interaction details to your OpenClaw Gateway. Use it for explicit choices, confirmations, forms, polls, and similar workflows, and avoid the broad 'ANY uncertainty' pattern for sensitive or routine replies. Review your Gateway URL/token, limit who can trigger destructive callback actions, and avoid putting secrets or unnecessary personal data into cards.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documentation describes behavior that depends on reading local configuration, credentials, and environment-derived values, but it does not declare corresponding permissions. That creates hidden capability and review gaps: operators may approve the skill without realizing it can access sensitive local settings and tokens needed for Feishu and gateway communication.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The stated purpose is sending interactive Feishu cards, but the documented behavior extends to loading app credentials, reading gateway tokens from local config or environment, and forwarding raw callback payloads plus operator/context metadata to another endpoint. This mismatch is dangerous because it hides data access and data-transfer behavior from reviewers, increasing the risk of unintended credential exposure, overcollection, and trust abuse.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The documentation includes a callback flow for deleting files, which goes beyond the advertised scope of a Feishu interactive-card skill and normalizes wiring card actions to destructive local operations. Even though the example warns against shell injection and shows safer fs-based deletion, it still encourages high-risk side effects from chat callbacks and increases the chance that adopters will implement unsafe or insufficiently authorized destructive actions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The callback handler forwards the full Feishu callback payload, including operator, context, action, and raw event data, to an external OpenClaw Gateway. This creates an unnecessary data-exfiltration path beyond the skill's stated purpose of handling interactive card callbacks, and may expose user identifiers, form contents, and other interaction metadata to another service without minimization or clear consent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill reads unrelated local OpenClaw configuration from the user's home directory, including gateway settings and Feishu credentials, even though the file's primary role is card callback handling. Accessing broader local configuration increases the trust boundary of the skill and can unintentionally expose secrets or couple this component to sensitive local state the user did not expect it to read.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The README instructs users to invoke the skill whenever there is 'ANY uncertainty,' which is overly broad and can cause the agent to route ordinary conversational replies through a highly interactive workflow by default. This increases unnecessary collection of user input, expands the attack surface through callback handling/long-polling, and may lead to inappropriate use in situations where plain text would be safer and more proportionate.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation rule 'ANY uncertainty' is overly broad and can cause the skill to trigger in many situations beyond genuine need. Because this skill sends interactive content and handles callbacks, ambiguous invocation expands the surface for unnecessary external messaging, user prompting, and stateful interactions that may expose data or alter workflow unexpectedly.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The core principle instructs the agent to use the skill whenever there is 'ANY uncertainty', which delegates too much discretion to an ambiguous condition. In practice, that can cause overuse of a networked, callback-driven skill and increase risks around data sharing, user confusion, and unintended persistence of interaction state.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Including 'Any uncertain situation' in the usage criteria is an imprecise trigger that can be interpreted expansively by an agent. That broad scope is especially risky here because the skill is not just presentation logic; it initiates external interactions and callback handling, which can unnecessarily expose context and create avoidable action flows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document states that all card interactions are automatically forwarded to the Gateway, and later shows that this includes detailed operator identifiers and raw callback payloads. Without an explicit user-facing privacy notice, consent model, or minimization guidance, this can expose personal identifiers and interaction metadata to backend systems in ways users may not expect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The form-handling example collects personal data such as name and email and saves it without any accompanying privacy, retention, or security guidance. This encourages implementers to persist PII without defining lawful purpose, access controls, minimization, or deletion behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: User interaction data is sent to the Gateway without any user-facing disclosure, warning, or consent mechanism. In a messaging-card context, users reasonably expect their clicks and form submissions to be processed for the card action itself, not silently relayed to another backend service with raw payload included.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The TODO card exposes destructive actions such as resetting all todos and clearing completed items directly as clickable buttons, with no built-in confirmation step or friction. In a Feishu interactive-card workflow, accidental clicks, mis-taps, or automated callback triggering could immediately alter or delete task state, which is especially risky because the full todo list is embedded in the action payload and these actions appear intended to execute state changes directly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script silently reads Feishu app credentials from ~/.openclaw/openclaw.json and uses them to authenticate network actions without any user-facing disclosure or consent at runtime. In an agent skill context, this creates a secret-use and ambient-authority risk: any invocation of this script can leverage existing account credentials to send messages on the user's behalf, which can surprise users and enable unauthorized actions if the skill is triggered unexpectedly or by untrusted input.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends chat identifiers and arbitrary card/message content to Feishu over the network without an explicit runtime warning or confirmation. Although network transmission is expected for this skill, the lack of disclosure is still a real privacy and data-exfiltration concern in an agent setting because sensitive prompt-derived content or wrong recipient identifiers could be transmitted externally without the user's awareness.

Session Persistence

Medium

Category: Rogue Agent
Content: # 🎴 Feishu Interactive Cards Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instead of plain text to let users choose via buttons. ## ✨ Features
Confidence: 75% confidence
Finding: Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instea

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: feishu-interactive-cards version: 1.0.2 description: Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instead of plain text to let users choose via buttons. Automatically handles callbacks via long-polling connection. Use for confirmations, choices, forms, todos, polls, or any scenario requiring user interaction in Feishu. --- # Feishu Interactive Cards
Confidence: 80% confidence
Finding: Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instea

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal