ClawHub

Feishu/Lark

Security checks across malware telemetry and agentic risk

Overview

This official Feishu/Lark integration is coherent and clean, but it gives agents real power to read, edit, delete, and share Feishu workplace data when configured.

Install only if you intend OpenClaw agents to operate inside Feishu/Lark with your app credentials. Limit Feishu app scopes, keep permission management disabled unless needed, restrict allowed senders/chats and local media roots, and require human confirmation for deletes, full-document overwrites, permission changes, and dynamic agent creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file contains broad local filesystem inspection and mutation capabilities: recursive JSON scanning, session-store loading/updating, directory backup/move, and artifact archival. Although framed as a doctor/repair feature, this is still security-relevant because a channel plugin gains authority to enumerate and modify local state outside narrow message-handling, increasing blast radius if invoked unexpectedly or if path assumptions fail.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The feishu_chat tool is presented as a chat operations tool, but the member_info action calls contact.user.get and returns broad profile data including email, enterprise_email, mobile, department path, leader ID, city, country, employee number, and other HR-style attributes. This is a scope/authorization mismatch that can expose sensitive personal and organizational data to users or agents who may expect only chat metadata access.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code automatically creates per-user agent directories and workspaces, then rewrites the runtime configuration file based on inbound DM sender IDs. That turns an external messaging event into persistent local filesystem and config mutation, which can be abused to cause unauthorized agent proliferation, resource exhaustion, and unintended persistence/state changes without an explicit administrative approval boundary.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Card actions are converted into synthetic text commands and passed back into the normal message handler, effectively treating UI events as privileged command input. If card payload validation or authorization is bypassed anywhere upstream, an attacker could trigger command execution paths such as reset/new/session-affecting actions through forged or replayed interactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The write path calls clearDocumentContent before replacing the document, making feishu_doc action "write" a destructive overwrite. In an agent setting, ambiguous prompts or tool misuse can cause irreversible loss of existing document data without an explicit confirmation step at the operation site.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
deleteBlock and the table row/column deletion helpers perform destructive mutations immediately once called, with no confirmation or safety interlock. In a powerful agent-integrated skill, this increases the chance of accidental or prompt-induced data destruction across user documents.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill accepts arbitrary remote URLs and fetches them server-side before uploading content into Feishu, which creates undisclosed outbound network access and data transfer behavior. In an agent context this can be abused for SSRF-like access to internal resources, unintended contact with attacker-controlled hosts, or exfiltration via fetch-and-upload workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code treats a plain text message as a local filesystem path and automatically uploads the file if it is an absolute path with an image extension and exists. This can cause unintended exfiltration of local files because a user or upstream agent may believe they are sending text, while the runtime silently converts that text into a file upload to Feishu with no confirmation or explicit opt-in.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The feishu_drive tool exposes a direct delete action that executes immediately against client.drive.file.delete with no in-code confirmation, safety interlock, or policy gate. In an agent setting, ambiguous prompts, prompt injection, or accidental tool use could cause irreversible deletion of files or folders, making this more dangerous than a normal manual API client.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation description uses broad phrases like 'Feishu docs, cloud docs, or docx links,' which can cause the skill to trigger in contexts where the user did not explicitly request document operations. Because this skill has both read and write capabilities, unintended activation increases the chance of unauthorized data access or accidental document modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented 'write' action replaces the entire document but does not require or even recommend a user-facing warning or confirmation. In practice, this makes accidental or prompt-induced destructive overwrites much more likely, especially in an agent setting where ambiguous instructions or misfires can result in irreversible content loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes block deletion without any warning about destructive impact or recommendation to confirm with the user first. Since block IDs may be selected programmatically after listing document structure, an agent mistake or malicious prompt could delete targeted content with little friction.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation text uses broad everyday terms like 'cloud space,' 'folders,' and 'drive,' which can cause the skill to trigger in contexts where the user did not specifically intend Feishu Drive operations. Because this skill exposes state-changing capabilities such as move and delete, over-broad activation increases the chance of unintended file operations or data exposure through accidental invocation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents destructive operations like move and delete without any explicit warning, confirmation requirement, or safety guidance. In a file-management context with full-access permissions, this makes accidental or ambiguous requests more dangerous because the agent may modify or remove user data without clearly signaling the consequences.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text is broad enough to trigger on common user language such as sharing, permissions, or collaborators, which can invoke a sensitive permission-management skill in routine collaboration contexts. Because this tool can add or remove access and grant full_access on Feishu resources, overbroad activation increases the chance of unintended high-impact permission changes without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation guidance is overly broad: triggering on generic mentions of 'knowledge base', 'wiki', or 'wiki links' can cause this skill to activate in many routine conversations that are not explicit requests to use Feishu. Because the skill exposes navigation and modification capabilities, over-activation increases the chance of unintended tool use and accidental access or changes in a user's workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents mutating actions such as create, move, rename, and the wiki-doc edit workflow without any requirement for user confirmation, dry-run behavior, or safety checks. In an agent setting, this creates a realistic risk of unintended content modification, relocation, or overwriting if the model misinterprets a request or is prompted ambiguously.

Session Persistence

Medium
Category
Rogue Agent
Content
//#endregion
//#region extensions/feishu/src/dynamic-agent.ts
/**
* Check if a dynamic agent should be created for a DM user and create it if needed.
* This creates a unique agent instance with its own workspace for each DM user.
*/
async function maybeCreateDynamicAgent(params) {
Confidence
90% confidence
Finding
create it if needed. * This creates a unique agent instance with its own workspace for each DM user. */ async function maybeCreateDynamicAgent(params) { const { cfg, runtime, senderOpenId, dynamicCfg

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal