ClawHub

Feishu Bitable Merger

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Feishu table merge tool, but it can bulk-add records to a target table and should be used carefully.

Install only if you trust the publisher and intend to let the skill read and write Feishu Bitable data. Use a least-privilege Feishu app/account, double-check source and target URLs, and test on a non-production or backup table first because the tool can add many records without an automatic confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README demonstrates merge commands that write into a target Feishu Bitable and requests write permissions, but it does not clearly warn users that running the skill will modify the destination table and may trigger downstream automations, overwrite assumptions, or create duplicate operational data. In an agent/tooling context, insufficient disclosure around write-capable behavior increases the chance of unintended destructive or workflow-affecting actions by users who assume the operation is read-only or low-risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill clearly performs write operations against a target Feishu Bitable and requests write permissions, but the description and usage text do not explicitly warn users that running it will modify destination data. This can lead to accidental overwrites, merges, deduplication side effects, or other unintended data changes by users who may assume it is read-only or non-destructive.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command performs bulk writes into the target table immediately after reading source data, with no dry-run, confirmation prompt, overwrite warning, or record-count threshold safeguard. In an agent or automation context, this can cause unintended mass data modification or duplication if the wrong target URL or mappings are supplied.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal