Back to skill

Security audit

feishu-meeting-scheduler

Security checks across malware telemetry and agentic risk

Overview

This Feishu scheduling skill is purpose-aligned, but it gives an unauthenticated service broad calendar, messaging, meeting-creation, and participant-tracking power that users should review carefully before installing.

Install only in a Feishu tenant where the app's permissions, reachable service URL, and allowed callers are tightly controlled. Require an authenticated gateway in front of the /api/claw routes, restrict OPENCLAW_WAKE_ENDPOINT with ALLOWED_WAKE_DOMAINS, configure FEISHU_ENCRYPT_KEY, and make sure users know their availability, poll choices, and response status are being processed and temporarily stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational behavior that clearly requires network and environment access, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and prevent hosts or reviewers from applying appropriate consent, sandboxing, and policy controls, which can enable unexpected data access or outbound communication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest frames the skill as a simple scheduling assistant, but the documented behavior is materially broader: persistent storage, free/busy collection, outbound messaging, calendar event creation, webhook intake, and external wake-up requests. This mismatch can mislead deployers and users about the skill's real access and automation level, increasing the chance of over-privileged installation and unnoticed handling of sensitive calendar and participant metadata.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill documents persistent tracking of who voted, who did not respond, and webhook-driven monitoring that can wake the agent for further action. In a scheduling context this expands from coordination into ongoing participant surveillance and behavioral state tracking, which creates privacy and misuse risk if users are not clearly informed and controls are absent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The architecture describes durable asynchronous session records and participant response state that exceed the narrow expectation created by the brief manifest purpose. Storing detailed interaction state without clearly bounded purpose or lifecycle increases exposure of sensitive workplace metadata, especially around calendars, attendance preferences, and response behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README explicitly describes querying multiple participants' free/busy calendar data and sending interactive scheduling cards, but it does not mention consent, authorization boundaries, data minimization, or privacy notice requirements. In a scheduling skill that processes employee calendar availability, omission of these safeguards can lead to unauthorized access or use of sensitive work-pattern information, especially when integrated into an agent-driven workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly references file-system-backed session storage but gives no user-facing warning about local data retention. Silent local persistence can expose sensitive scheduling context and participant state to other processes, backups, operators, or later compromise, particularly in shared or weakly isolated agent environments.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This code creates calendar events and sends direct messages immediately, but there is no enforcement in this file that all affected users explicitly confirmed the final meeting time before side effects occur. In a scheduling skill, that can lead to unauthorized or premature event creation, spammy notifications, and user-trust issues if upstream logic is bypassed or flawed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states it can read all calendars for multiple specified users to compute shared free time, but the API contract contains no user-facing notice, consent requirement, or scope limitation. In a scheduling assistant, this creates a real privacy risk because an agent could query availability for arbitrary users and infer sensitive work patterns without those users being informed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes sending interactive Feishu messages to users and persisting/tracking them via a session identifier, but it does not disclose outbound messaging or response tracking to recipients. This is dangerous because it enables silent monitoring of user interaction and unsolicited contact, which can be abused for coercive outreach, behavioral tracking, or privacy-invasive workflow automation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The metadata explicitly allows `ALLOWED_WAKE_DOMAINS` to be omitted, and the description says leaving it empty results in no restriction. For an event-driven skill that can wake an agent via `OPENCLAW_WAKE_ENDPOINT`, this broadens the trust boundary and can enable unauthorized or unintended wake requests if downstream code relies on this setting for origin control.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
feishuService.js:188

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:8