ClawHub

Feishu Integration (Lukaizj)

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Feishu integration, but it exposes a callable token-retrieval tool and lacks clear safety boundaries for external messaging and chat changes.

Review before installing. Use a least-privilege Feishu app, treat the app secret and any token output as sensitive, and require explicit user confirmation before sending messages or creating chats. Consider removing or disabling feishu_get_token unless a non-sensitive authentication health check is sufficient.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill’s stated purpose is Feishu messaging, group management, and workflow automation, but it also exposes a tool that retrieves a tenant access token. Even though the returned token is truncated, exposing credential-retrieval functionality materially expands the skill’s capability boundary and can enable misuse, token handling mistakes, or future leakage through logs or downstream changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill includes an explicit tenant access token retrieval function that is not necessary for normal messaging or chat-management operations. Credential-oriented functionality increases the risk of unauthorized reuse, privilege abuse, and accidental disclosure, especially in an agent environment where tools may be invoked indirectly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks users to provide Feishu app credentials and supports sending messages, creating groups, and managing chats, but it does not present clear user-facing warnings about the sensitivity of those credentials or the real-world effects of those actions. In practice, this can lead to accidental misuse, unauthorized messaging/group changes, or users granting broad access without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly enables sending messages, creating chats, and listing chats in an external collaboration platform, but it does not warn that using these actions can transmit data outside the current system or affect real user/group resources. This creates a real safety issue because an agent may perform external communications or modify Feishu state without clear user awareness or confirmation.

Credential Access

High
Category
Privilege Escalation
Content
async def feishu_get_token() -> Dict[str, Any]:
    """
    Get Feishu tenant access token.

    Returns:
        Dictionary with token info
Confidence
99% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
},
    {
        "name": "feishu_get_token",
        "description": "Get Feishu tenant access token"
    }
]
Confidence
99% confidence
Finding
access token

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal