DashScope Web Search (Feishu)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu web-search skill, but its image mode handles bot credentials and posts images with unsafe network and token handling.

Review carefully before installing. Use a narrowly permissioned Feishu bot, restrict allowed recipients, avoid using it in sensitive chats until TLS verification is fixed, protect or disable the /tmp token cache, and add URL, size, content-type, and private-network blocking before enabling automatic image sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Tainted flow: 'req' from os.environ.get (line 169, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(url, headers={ "User-Agent": "Mozilla/5.0 (compatible; FeishuImageBot/1.0)", }) with urllib.request.urlopen(req, timeout=15, context=_ssl_ctx) as resp: with open(dest, "wb") as f: f.write(resp.read()) return True
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=15, context=_ssl_ctx) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes Python scripts that use network access, environment variables, and likely local file operations, but it does not declare permissions or capabilities transparently in the manifest. This creates a trust and review gap: users and platform controls may not realize the skill can access secrets, contact external services, and write local state, which increases the chance of unintended data exposure or unsafe execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior understates materially sensitive actions: downloading arbitrary image URLs, uploading content to Feishu, sending messages to chats/users, reading Feishu credentials, and caching access tokens on disk. This mismatch is dangerous because users may believe they are only performing a web search, while the skill can transmit external content into enterprise chat systems and handle credentials in ways that expand the attack surface.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The helper silently loads Feishu credentials from local openclaw.json files if environment variables are absent, expanding its access beyond the declared web-search behavior. In an agent environment, this creates unexpected credential reach and may cause the skill to use sensitive local configuration without the operator realizing it.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script can actively send outbound Feishu chat messages, which is broader than a passive web-search helper and gives it messaging side effects. In an agent context, that increases risk because untrusted content or prompts could trigger communication to users or chats using locally available credentials.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that images from search results are automatically downloaded, uploaded to Feishu, and sent into chats, but it does not clearly warn users that third-party content and search-derived URLs will be transmitted to external services. In a messaging-integrated skill, this creates a real privacy and data-governance risk because users may trigger external transfers without understanding what content leaves the local environment or enters Feishu.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is extremely broad and encourages proactive use for many ordinary factual requests, which can cause unnecessary external queries and data disclosure beyond user expectations. In context, this is more dangerous because the skill reaches third-party services and may also trigger downstream Feishu-related behaviors, so over-activation increases privacy and operational risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The image mode states that images are sent to the chat automatically, but it does not prominently require an explicit user warning or consent before posting content into Feishu. This is risky because search results may contain unexpected, unsafe, or irrelevant images, and the act of sending them into a chat is an outbound side effect that can impact users or groups immediately.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The credential fallback to local configuration happens without a runtime warning or disclosure, so operators may not realize the skill is accessing sensitive local files. In an agent setting, hidden credential sourcing undermines transparency and makes unreviewed privilege expansion more dangerous.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Image URLs taken from stdin are fetched and then relayed to Feishu without any execution-time notice that external content will be downloaded and uploaded. This can leak user-provided URLs, retrieve data from internal endpoints if abused for SSRF, and transmit content to a third party without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Sending image messages to a Feishu chat is a side effect with external impact, yet the script provides no execution-time disclosure beyond CLI semantics. In an automated agent workflow, that can cause unintended communications or data disclosure if the tool is invoked indirectly or with attacker-influenced inputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal