ClawHub

飞书 SKILL

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Feishu API reference skill with sensitive API examples, but no hidden execution or credential-stealing behavior was found.

Install only if you want local Feishu API reference material. When using the examples, store real credentials in environment variables or a secret manager, request the minimum Feishu scopes needed, avoid logging raw token or directory responses, and treat contact, session, and messaging APIs as sensitive administrative operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation shows direct use of `app_id` and `app_secret` to retrieve a tenant access token, but it does not include any warning about secure secret storage, redaction, or the risk of exposing long-lived credentials in source files, terminals, screenshots, or logs. In a security-sensitive auth flow, omission of secret-handling guidance can lead users to copy real credentials into scripts and examples, increasing the likelihood of credential leakage and subsequent token theft.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document explicitly states that this API does not validate contact-scope authorization and will directly return user basic information regardless of data permission scope. In a skill/API documentation context, that means the interface enables access to personal data outside normal authorization boundaries, which is a real privacy and access-control weakness rather than a mere documentation issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes an API that returns highly sensitive personal and organizational data such as email, mobile number, employee number, department hierarchy, leadership relationships, geo, and employment details, but it provides no warning about privacy risk, data minimization, retention, or output handling. In a reusable agent skill context, this omission can lead downstream users or agents to over-collect, log, expose, or persist sensitive directory data without adequate safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes an API response containing multiple categories of sensitive personal data, including email, mobile number, employee number, manager relationships, department path, and employment metadata, but it does not give consumers any explicit warning about privacy handling, data minimization, storage restrictions, logging risks, or compliance obligations. In an API skill or integration context, this omission can lead downstream developers to collect, display, cache, or log PII more broadly than necessary, increasing privacy and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal