ClawHub

agent-father

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw/Feishu administration skill, but it needs Review because it can create and delete local/remote resources and handles employee data with weak safeguards.

Install only if you intend to give this skill admin-like control over OpenClaw and Feishu onboarding. Use least-privilege Feishu credentials, avoid production tenants for testing, back up OpenClaw workspaces and configs before deletion, review generated employee data storage, and do not run delete-agent.sh until workspace path containment and confirmation safeguards are improved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises shell-based operational capabilities via required binaries and executable scripts, but it does not declare corresponding permissions or execution scope. That creates a transparency and governance gap: users or hosting platforms may underestimate that the skill can create, modify, and delete local resources and invoke networked tooling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script deletes whatever directory path is stored in agent.json as the workspace, with only a non-empty and exists check before running rm -rf. If agent.json is malformed, tampered with, or points outside the expected OpenClaw workspace root, the script can recursively delete arbitrary directories on the host, which is especially dangerous in an administrative skill meant to manage employee/agent lifecycle.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart instructs users to place Feishu app credentials in shell environment variables, including guidance to persist them in shell startup files, without warning that these secrets may be exposed through shell history, process environments, logs, crash reports, or multi-user system inspection. In the context of a skill that provisions agents and chats against real external services, leaked credentials could allow unauthorized API access and abuse of the organization’s Feishu integration.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quickstart tells users to run commands that create Feishu chats and generate employee and agent artifacts, producing real side effects in external systems and local workspace files, but does not clearly warn that these are mutating operations rather than safe validation steps. Calling chat creation a configuration test increases the chance of accidental provisioning, clutter, unintended notifications, or creation of misleading organizational records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented delete flow removes agent directories, workspaces, configuration entries, employee records, and optionally Feishu groups, but it does not clearly warn that these actions may be irreversible or cause data loss. In an agent-management skill, this increases the chance of accidental destructive use by operators who interpret the command as routine cleanup.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill instructs users to read Feishu app credentials from ~/.openclaw/openclaw.json without any warning about secret handling, least-privilege access, or avoiding exposure in logs and terminal output. This can normalize unsafe handling of API secrets and increase the risk of credential disclosure through shell history, screenshots, or overbroad file permissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists personal/contact data such as phone numbers into agent.json and 员工名单.md without warning, consent flow, minimization, or access-control considerations. In a workforce-management skill, this increases privacy and compliance risk because operators may store sensitive employee data in predictable local paths that could be broadly readable or committed to source control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`list_employees` prints each employee's phone number directly to stdout, which can expose personally identifiable information to any user who can run or view the command output. In this skill's context of managing agents/employees, bulk listing of staff data is plausible, but there is no access check, masking, consent, or warning, so the disclosure risk is real rather than theoretical.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal