ClawHub
Back to skill

Security audit

Muguozi1 Openclaw Feishu Calendar

Security checks across malware telemetry and agentic risk

Overview

This Feishu calendar skill matches its calendar-management purpose, but it includes under-disclosed scripts that can delete, create, share, and locally persist calendar data without strong user safeguards.

Install only if you are comfortable granting this skill Feishu calendar permissions. Use a least-privilege Feishu app and a dedicated calendar, review scripts before running them, avoid cleanup/setup routines unless you intend their exact changes, and require confirmation before event deletion, recurring event creation, attendee invites, or shared-calendar membership changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code explicitly loads a project-level .env file and uses its contents to initialize calendar API credentials, giving the skill access to external account secrets without any visible scoping, permission checks, or justification in the file. In an agent-skill context, secret loading is sensitive because it can silently enable unauthorized access to calendars and other connected resources if the skill is invoked in an unexpected context.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The file implements remote calendar enumeration, event listing, and event creation against Feishu/Lark without any visible authorization boundary, user consent, tenant restriction, or stated purpose. It also contains fallback behavior to the 'primary' calendar, which increases the chance of reading from or writing to a more privileged or unintended calendar when the requested calendar ID fails.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script enumerates calendars, deletes matching events, and creates a recurring maintenance event with no scope restriction, dry-run mode, or confirmation. In an agent-skill context, this grants the code broad capability to alter real calendar data despite no demonstrated authorization boundary or user approval, making unintended or unauthorized changes plausible.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The function is described as clearing test events, but the deletion predicate also removes events containing 'Invite', which broadens scope beyond the stated purpose. That mismatch increases the chance of deleting legitimate invitation-related calendar entries and makes the behavior misleading for reviewers and operators.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases 'Mark this task' and especially 'Remind me to...' are broad natural-language patterns that can easily match ordinary conversation. In a calendar-creation skill, this raises the risk of unintended event creation or task marking without sufficiently explicit user intent, leading to unauthorized or confusing modifications to calendar data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes operations that can create events, add attendees, set up shared calendars, and sync to local state/memory, but it does not warn users that these actions modify calendar data and may propagate or store sensitive scheduling information. In a calendar-management context, missing disclosure increases the chance of users triggering state-changing actions without understanding their effects on personal or organizational data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup section instructs users to provide `FEISHU_APP_ID` and `FEISHU_APP_SECRET` but gives no guidance on secure secret handling. This omission can lead users to place credentials in insecure files, logs, or shared environments, increasing the likelihood of credential leakage and subsequent unauthorized access to calendar APIs.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script performs irreversible deletion of calendar events without any confirmation prompt, dry-run mode, allowlist, or explicit operator acknowledgment. In an agent-skill context, this is especially dangerous because a mistaken invocation, wrong calendar selection, or overly broad matching rule could silently destroy legitimate user data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The addEvent method forwards user-controlled eventData directly to an external calendar API, enabling unreviewed writes to a remote system. Without confirmation, validation, or content restrictions, this can be abused to create misleading, spammy, or sensitive events in a connected calendar account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code performs irreversible event deletions immediately after a loose title match, without confirmation, backup, or soft-delete behavior. In a live calendar environment this can cause loss of legitimate scheduling data and makes accidental or unauthorized destructive changes much more damaging.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script persists raw calendar events to ../../memory/calendar_events.json without any notice, consent, minimization, or access-control considerations. Calendar data commonly contains sensitive titles, schedules, and identifiers, so silently storing it increases privacy risk and the blast radius if the workspace or logs are later exposed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script rewrites HEARTBEAT.md using calendar-derived content, which can overwrite user-maintained content in that section without explicit warning or confirmation. Because event summaries are inserted directly into a Markdown file, sensitive schedule data may also be exposed to anyone with access to that file, and untrusted text could affect downstream rendering or automation that consumes the Markdown.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal