ClawHub

Know My Larkmate

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent Lark-to-OpenClaw note-sync purpose, but it can broadly read workplace data and automatically persist summaries with limited user control.

Install only if you intentionally want recent Lark workplace activity imported into OpenClaw memory. Before enabling it, review and narrow Lark scopes where possible, avoid offline_access unless scheduled background sync is required, confirm heartbeat behavior, and periodically inspect or delete the daily notes it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill instructs the agent to read local files such as today's and yesterday's daily notes, but it does not declare corresponding permissions. Undeclared file-read capability weakens auditability and consent boundaries, making it easier for the skill to access local context without clear operator awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose sounds like a narrow sync of recent context, but the workflow authorizes and encourages broad discovery across chat, docs, wiki, calendar, minutes, and VC records. That mismatch can lead to over-collection of organizational data far beyond what a user likely expects from a 'recent context sync' skill, increasing privacy and data-minimization risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script requests a very broad set of Lark read permissions, including chat messages, documents, drive metadata, minutes, meetings, wiki, and offline access, which exceeds the stated purpose of syncing recent context into daily notes. This violates least-privilege and increases the blast radius if the token is misused, leaked, or the skill behaves unexpectedly, especially because the collected data may include sensitive workplace communications and documents.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The readiness script performs live probes across multiple Lark domains—docs, wiki, messages, minutes, calendar, and video conferencing—even though the skill is described as syncing recent context into daily notes. That broad access test unnecessarily exercises and confirms availability of sensitive data sources, increasing privacy exposure and enabling over-privileged deployment beyond the skill's stated purpose.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description includes broad triggers like heartbeat runs and general questions about recent focus, which could cause automatic invocation during ordinary conversation. Because invocation may trigger searches across multiple Lark data sources and local note updates, ambiguous activation increases the chance of unintended data access and persistence.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When To Use' section broadens invocation to any turn that read relevant Lark artifacts and to common questions about what the user has been doing recently. In context, that means a normal assistant turn can silently escalate into multi-source enterprise data retrieval and local memory writes, which is risky even if all requested scopes are nominally read-only.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill enables implicit invocation with no visible trigger constraints, exclusions, or narrowing conditions in the policy or interface. That increases the chance the agent will invoke this skill in unintended contexts, causing automatic synchronization of recent Lark activity into OpenClaw notes without an explicit user request, which can expose sensitive work context or create privacy and data-minimization issues.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The heartbeat prompt triggers a broad scan of the last 72 hours of messages and 7 days of meetings, docs, and minutes via a loosely specified skill reference, without an explicit per-run user consent or tighter scope constraints. In a background heartbeat context, this can cause unanticipated access to sensitive collaboration data and silent propagation of summaries into memory files, making overcollection and privacy leakage more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn users that heartbeat automation may scan messages, meetings, docs, and minutes and append derived context into persistent memory files. This lack of transparency is dangerous because users may enable or invoke the skill without understanding that background jobs can continuously collect and retain potentially sensitive workplace information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly instructs the agent to write synthesized recent-context snapshots into persistent daily memory files, but it does not require user confirmation, visibility, or any guardrails around storing potentially sensitive workplace activity. Because the skill reads Lark messages, meetings, docs, and minutes, the resulting memory entry can persist confidential or privacy-sensitive data beyond the immediate task, increasing retention and unauthorized disclosure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal