ClawHub

飞书知识库整理专家

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate Feishu wiki organizing purpose, but its instructions give broad document-moving authority with conflicting scope, failure-handling, and scheduling guidance that users should review before use.

Install only if you intend to let an agent reorganize Feishu wiki content. Start with one knowledge base, review every preview before approving moves, avoid cross-library or merge operations unless you explicitly asked for them, confirm how failed items will be handled, and do not enable any hourly automation until you know how to disable it and where logs are stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata and core principles promise in-place organization without merging or cross-library movement, but the body later authorizes cross-library moves and merged-library workflows when the user agrees. This inconsistency can cause the agent to take broader, riskier destructive-adjacent actions than the user expected, increasing the chance of misfiled content, broken links, or accidental reorganization outside the intended scope.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document gives conflicting instructions for failed moves: some sections say failed items must be automatically placed into '其他', while others say failures should be recorded and skipped. In an automated content-moving skill, contradictory failure handling is dangerous because it makes outcomes non-deterministic and can lead to silent data disorder, repeated retries, or documents being left behind without clear operator awareness.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill states automation is disabled by default and requires manual enablement, but later asserts cron automation is already installed and has run multiple times. That contradiction is especially dangerous in a skill that moves documents, because it can normalize or trigger unattended periodic actions without informed consent, leading to unauthorized or unexpected reorganization.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad enough to match common conversational requests like '帮我整理一下' or '太乱了', which can invoke a high-impact skill in situations where the user did not specifically request bulk wiki reorganization. Because this skill performs structural actions on knowledge bases, over-broad activation increases the risk of unintended execution on the wrong task or dataset.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal