ClawHub

Feishu Send Message

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it gives agents broad Feishu message-sending power using local bot credentials and log-derived recipient IDs without enough safeguards.

Install only in environments where operators are authorized to use the Feishu bot credentials and contact the target users or groups. Restrict access to OpenClaw config files and gateway logs, avoid log-derived recipient IDs where possible, verify recipients before sending, and do not send secrets or sensitive incident details unless your organization explicitly permits it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs operators to mine gateway logs for user open_id values, which expands the capability from simple message sending into harvesting identifiers from operational logs. Even if open_id is not a secret credential, pulling user identifiers from logs creates privacy and access-boundary concerns and normalizes using log data for purposes beyond troubleshooting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The embedded script accepts an arbitrary agent selector and then reads that agent's Feishu app credentials from local configuration, enabling message sending under different agent identities if those files are accessible. This broadens the skill from a scoped messaging helper into a credential-backed cross-agent action primitive, which can be abused for impersonation or unauthorized communication.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation shows how to read app credentials from local config and use them to obtain access tokens and send outbound messages, but it does not prominently warn that this uses sensitive credentials and can transmit data externally. In an agent-skill context, such omissions increase the chance of unsafe reuse, accidental disclosure, or unauthorized messaging with production identities.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill tells users to retrieve identifiers from system logs without clearly warning about the privacy and security implications of inspecting gateway logs. While the omission is less severe than direct credential exposure, it still encourages potentially inappropriate access to operational data and weakens safe-use guidance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly describes sending Feishu messages using the current agent's credentials and instructs operators to obtain recipient open_id values from service logs, but it does not include any privacy, authorization, or recipient-verification safeguards. This creates a realistic risk of misdirected messages, unauthorized contact, or disclosure of sensitive content to the wrong user or chat, especially in a multi-agent environment where identifiers are app-scoped and easy to confuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script echoes the full message body to stdout before sending it. If messages contain secrets, incident details, credentials, tokens, personal data, or other sensitive content, that data can be exposed through terminal scrollback, CI/CD logs, shell history capture tools, or centralized logging systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal