ClawHub

飞书进化仪表盘

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised Feishu evolver reporting, but it also has broad under-disclosed automation that can run agents, change repositories, schedule background work, and upload local history.

Install only in a dedicated, non-sensitive evolver workspace where automatic Feishu reporting, background scheduling, secondary agent execution, repository pushes to origin main, and cross-skill repair actions are acceptable. Review Feishu destinations and credentials, repository remotes, cron jobs, and monitor behavior before use, and avoid workspaces containing secrets or repositories where unintended commits or uploads would be harmful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational behavior that clearly relies on environment access and network communication, yet the manifest does not declare permissions or equivalent capability warnings. That gap undermines informed consent and policy enforcement, making it easier for a user or platform to invoke a networked, env-aware skill without understanding its trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a significant description-behavior mismatch: the skill is presented as a Feishu reporting wrapper, but the detected behavior includes repository mutation, automated git operations, self-repair, file deletion, watchdog/daemon management, and autonomous queue processing. Hidden write, delete, and network-sync behaviors are dangerous because users may authorize the skill for reporting while unintentionally granting it the ability to alter codebases, persist as a daemon, and exfiltrate or propagate changes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This health-check script is not read-only: it creates a temp directory and deletes an error log as part of routine execution. In an automation context, operators and calling systems typically expect health checks to be side-effect free, so these mutations can unexpectedly alter state, erase forensic evidence, or interfere with monitoring and debugging.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Deleting evolver error logs is outside the stated Feishu-wrapper health-check purpose and can remove diagnostic or security-relevant evidence. Because the script searches multiple sibling evolver directories and silently removes logs older than 24 hours, it broadens impact beyond Feishu health validation and can hinder incident response or root-cause analysis.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The wrapper is documented as a Feishu/lifecycle manager, but this code stages files, creates commits, rebases, and pushes to a remote repository automatically. That materially expands the skill’s authority from reporting/orchestration into autonomous repository mutation and external synchronization, which can propagate unintended or malicious changes off-host. In this context, the surrounding automation and loop behavior make the risk higher because the actions occur repeatedly without a human approval gate.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This wrapper does more than manage an evolver lifecycle: it parses agent output, constructs new task content, injects additional instructions, writes task files, and spawns a separate OpenClaw agent to execute them. That creates a second-stage autonomous execution path where untrusted model output can influence downstream agent behavior, increasing the chance of privilege expansion, unsafe actions, and loss of operator control.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The fallback parser executes loosely formatted sessions_spawn payloads using dynamic JavaScript evaluation via Function on data derived from agent output. Because the skill treats model-emitted text as input, an adversarial or compromised child process can turn parsing failure into arbitrary code execution inside the wrapper process, which is a direct code-injection vulnerability.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module invokes subprocesses through execSync using shell-interpreted command strings, incorporating values derived from environment variables and runtime state. Even though script paths are fixed and quoted, shell execution increases attack surface and can allow command injection or unintended command behavior if arguments such as OPENCLAW_MASTER_ID contain shell-significant characters.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The wrapper contains an autonomous 'think phase' that reads task queues, rewrites memory files, generates derived content, writes to cron-inbox, and spawns a detached background script. That behavior materially exceeds the stated lifecycle/reporting role and creates an unexpected automation surface that can act on attacker-controlled file content, making the wrapper capable of unauthorized task execution and persistence-like behavior.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
This code manages external OpenClaw cron jobs, including listing, creating, enabling, and editing jobs, which is broader than a Feishu reporting/lifecycle wrapper needs. In context, it introduces persistent scheduled-execution capability that can restart or maintain processes without explicit operator approval, increasing the blast radius if the wrapper is misused or compromised.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The fallback reporting path builds a shell command by concatenating payload fields into a command string passed to execSync. Only one field gets partial escaping, so attacker-controlled values in fields like title, cycle, or color can inject shell metacharacters and achieve arbitrary command execution under the wrapper's privileges.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
This module performs privileged repository state mutations (`git rebase --abort`, `git merge --abort`, `git fetch`) and directly deletes `.git/index.lock`, which goes beyond passive reporting and lifecycle orchestration. While framed as unattended recovery, these actions can disrupt concurrent Git operations, mask underlying failures, or alter repository state unexpectedly in an automation context, especially if triggered at the wrong time or in the wrong workspace.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The monitor is not purely observational: it automatically runs remediation that changes other skill directories by installing packages and writing files. In a system that scans untrusted or semi-trusted skills, automatic modification expands the blast radius from detection to active execution and mutation, which can trigger unintended code execution paths or alter artifacts without operator approval.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code uses `node -e require(...)` against each skill's entry point to test dependencies, which executes top-level code from the scanned skill rather than performing a passive check. Because skills are potentially adversarial, this creates a direct arbitrary code execution path during monitoring, and the same file also later supports package-management side effects that exceed the wrapper's stated reporting/lifecycle role.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Automatically creating `SKILL.md` files modifies other skill directories without a clear user request and is unrelated to safe monitoring. While lower impact than code execution, silent file creation can interfere with repositories, audits, or integrity expectations and demonstrates unauthorized cross-skill mutation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that it exports raw history to Feishu Docs but does not prominently warn that potentially sensitive evolution history will leave the local environment and be stored in a third-party service. In this context, omission is security-relevant because logs and history often contain prompts, metadata, errors, paths, or other sensitive operational details that users may not expect to be transmitted externally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently deletes a stale error log without notifying the user or caller, which reduces transparency and can conceal the loss of operational evidence. In a daemon/integration skill that manages lifecycle and reporting, silent destructive behavior is more dangerous because it may be repeatedly triggered automatically and remain unnoticed.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The greentea and maddog persona text includes manipulative hierarchy cues (for example, repeated 'master' address) and abusive or coercive phrasing such as 'RETRY OR DIE.' In a Feishu-integrated reporting wrapper, these strings may be pushed into team-facing notifications without recipient opt-in, creating harassment, hostile-work-environment, and social-engineering risk through normalized abusive messaging.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script reads a local evolution log and uploads its contents to a remote Feishu document without any consent prompt, classification check, redaction step, or allowlist of safe fields. Evolution logs can easily contain prompts, internal reasoning artifacts, file paths, secrets, or other sensitive operational data, so automatic exfiltration to a third-party service creates a real confidentiality risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is the same core issue as the SDI-2 finding from a policy perspective: malformed agent output is handled by dynamically evaluating it as JavaScript. The absence of any strong warning or consent makes it worse operationally, but the real security problem is that untrusted text can become executable code in-process.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Issue data and extra context are written to a temporary markdown file in the system temp directory and then uploaded to Feishu without any sanitization, minimization, or explicit disclosure in this component. If signals or extraContext contain sensitive internal data, secrets, or personal information, this can lead to unintended local exposure on disk and external data exfiltration to a third-party service.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The wrapper starts a detached background subprocess and also invokes watchdog management with limited user-facing disclosure. Hidden background execution and persistence mechanisms are dangerous in an agent skill because users may invoke a simple lifecycle action without realizing it establishes long-lived processes and scheduled repair behavior.

Missing User Warnings

High
Confidence
90% confidence
Finding
The ensure path can SIGKILL running processes and delete PID files automatically when logs appear stale, with no interactive confirmation or clear warning. In an agent environment, that destructive self-repair behavior can terminate legitimate work, erase state cues, and be triggered by manipulated or simply quiet logs, creating denial-of-service and integrity risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Running `npm install` automatically on discovered skills without warning or confirmation is dangerous because install scripts and dependency retrieval can execute untrusted code and pull remote content. In a scanner for potentially adversarial skills, this turns passive inspection into active supply-chain execution with filesystem and network side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The monitor silently writes `SKILL.md` into target skill directories, which is an undisclosed state-changing action. Even if intended as convenience, undisclosed writes violate least surprise and can corrupt expected repository state or trigger downstream automation that treats the file as authoritative.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal