Back to skill

Security audit

Feishu Interactive Cards

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu interactive-card integration, but users should scope it carefully because it uses Feishu credentials and forwards callback data.

Install only if you intend to let this skill send Feishu messages with your configured Feishu app credentials and run a callback server that can forward interaction details to OpenClaw Gateway. Avoid using the broad 'ANY uncertainty' rule for sensitive or routine replies, review the Gateway URL/token and access controls, minimize form and todo data placed in cards, and keep the Node dependencies updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs use of local scripts, configuration files, and environment-backed credentials, but it does not declare the permissions needed for those capabilities. Undeclared access to secrets/config and execution context reduces transparency and can bypass policy controls that rely on explicit permission declarations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose focuses on sending interactive cards, but the skill also describes reading local credentials/configuration, operating a callback server, and forwarding rich callback payloads to a gateway endpoint. That mismatch can mislead operators about the true trust boundary, causing unreviewed exposure of secrets, metadata, and user interaction data to additional components.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The callback handler forwards raw Feishu interaction data, including operator details, action payloads, context, and the full raw event, to a separate OpenClaw Gateway. That is a real data-flow expansion beyond the skill’s declared purpose of rendering cards and handling callbacks, and it creates an unnecessary exfiltration path for user interaction data and any form contents embedded in callbacks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Loading a separate Gateway URL and bearer token enables a secondary integration channel unrelated to core Feishu card interaction handling. In this file that configuration is used to forward callback data externally, so the extra credential scope materially increases attack surface and creates a hidden cross-system data transfer path.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The TODO card serializes the entire `todos` array into multiple button callback payloads (`toggle_todo`, `complete_all_todos`, `reset_all_todos`, `clear_completed_todos`) when only a task identifier or server-side reference is needed. This unnecessarily exposes all task text and metadata to every interactive action, increasing the chance of data leakage through client-visible payloads, logs, webhook events, or downstream handlers.

Vague Triggers

High
Confidence
92% confidence
Finding
The directive to use the skill whenever there is 'ANY uncertainty' is an overly broad activation rule that can cause the agent to invoke external messaging and callback infrastructure in many situations beyond necessity. Broad triggers increase the chance of unintended data sharing, unnecessary session extension, and user interactions being routed through this skill when a plain response would suffice.

Vague Triggers

High
Confidence
91% confidence
Finding
The 'When to Use' section includes broad categories like 'Any uncertain situation,' which can be interpreted expansively by an agent and lead to excessive invocation of a networked, stateful interaction mechanism. In security terms, ambiguous routing logic is dangerous because it expands the circumstances under which user data and workflow context are exported to Feishu and the callback gateway.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document states that all card interaction callbacks are automatically forwarded to the Gateway, including detailed operator identifiers and complete raw callback data. Without explicit minimization, consent, or privacy notice guidance, this can expose personally identifiable information and unnecessary event contents to another service, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code forwards callback data to the Gateway asynchronously without any user-facing disclosure or consent, even though callback payloads can contain operator identifiers, message context, button values, and submitted form fields. This creates a privacy and transparency failure that is especially concerning in a messaging integration where users reasonably expect actions to stay within Feishu unless told otherwise.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: feishu-interactive-cards
version: 1.0.2
description: Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instead of plain text to let users choose via buttons. Automatically handles callbacks via long-polling connection. Use for confirmations, choices, forms, todos, polls, or any scenario requiring user interaction in Feishu.
---

# Feishu Interactive Cards
Confidence
84% confidence
Finding
Create and send interactive cards to Feishu (Lark) with buttons, forms, polls, and rich UI elements. Use when replying to Feishu messages and there is ANY uncertainty - send an interactive card instea

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.13.4

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/card-callback-server.js:29