ClawHub

Feishu Agent Provision

Security checks across malware telemetry and agentic risk

Overview

The skill fits its Feishu agent-management purpose, but it needs review because some high-impact actions are too broadly triggered or inconsistently controlled.

Install only if you are comfortable granting this skill administrative control over OpenClaw agents, cron tasks, Feishu group routing, and local agent workspaces. Use explicit skill-prefixed commands, verify any cron delivery target before enabling scheduled reports, avoid storing secrets or sensitive business details in backup memory, and review/fix the agent ID validation and delete-script import bug before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill earlier documents a safer constraint requiring deletion requests to include the word "agent" or an explicit skill prefix, but this later section reintroduces a bare "删除 <ID>" trigger. That contradiction materially increases the chance of unintended activation of a destructive workflow from ordinary conversation, especially because deletion changes global config and removes cron/bindings/workspace state.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The template message explicitly instructs the agent to wait for human confirmation before sending to the Feishu group, but the cron configuration simultaneously sets direct group delivery via `delivery.channel: "feishu"` and `delivery.to: "<飞书群ID>"`. This mismatch can cause the system to auto-deliver content to the group despite the safety gate described in the prompt, leading to unintended disclosure or bypass of human review.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The weekly template says Friday's weekly report should be merged into the daily report and not sent as a separate message, yet it defines a separate Friday cron schedule with announcement delivery. That contradiction can generate duplicate or unintended reports, increasing the chance of accidental disclosure, notification fatigue, and operator confusion about which message is authoritative.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The state-query triggers include broad phrases such as direct ID-only status requests that can overlap with normal chat, causing the skill to activate when the user may not intend to invoke administrative inspection. While less destructive than delete, it still exposes internal agent metadata, routing state, backup freshness, and session details.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The clone triggers allow ambiguous bare-ID forms like "克隆 <ID>", which can collide with ordinary discussion about copying or modeling something after an existing item. Because clone creates new registered agents, bindings, and possibly cron behavior, accidental activation can lead to unintended resource creation and configuration changes.

Vague Triggers

High
Confidence
98% confidence
Finding
This second deletion-trigger finding confirms the same unsafe pattern: a bare deletion phrase is documented in the deletion section despite earlier safety notes removing it. In context, the danger is amplified because the workflow can remove scheduled tasks, bindings, registrations, and workspace data, so accidental invocation has system-wide operational impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The validator calls re.match without importing re, so the script raises a NameError before performing its intended safety check. This creates a denial-of-service condition for the deletion workflow and defeats the explicit path-validation guard that the rest of the destructive code relies on.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes long-term memory and broad context retention without defining minimization boundaries, retention limits, or classes of data that must not be stored. In an enterprise messaging context, that can lead to unnecessary persistence of sensitive project, user, or operational information and increase blast radius if the workspace is accessed later.

Ssd 3

Medium
Confidence
92% confidence
Finding
The backup template instructs the system to record ongoing status, progress, pending items, and core configuration in persistent files. Without scoping or redaction rules, routine operation can accumulate sensitive internal context over time, making later disclosure, misuse, or cross-task leakage more likely.

Ssd 3

Medium
Confidence
91% confidence
Finding
The cron payload instructs the agent to read prior backup state and append execution results and next steps after every run, creating a standing persistence loop. That normalizes indefinite retention and reuse of historical context, increasing the chance that sensitive content is retained longer than necessary and later surfaced in responses or logs.

Ssd 3

Medium
Confidence
93% confidence
Finding
The automatic backup mechanism explicitly restores historical background and preserves important decisions indefinitely, with long-session mode described as permanent accumulation. In context, this is a real over-retention risk because the skill is designed for group communications and project workflows where sensitive business context may naturally appear.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal