ClawHub

feishu-multi-agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Feishu bot relay, but it needs review because broad group-chat phrases can control a background auto-posting daemon and the code logs part of a Feishu access token.

Install only for a dedicated, approved Feishu group. Use least-privilege Feishu app permissions, protect the config file, consider setting require_mention=true and replacing broad trigger words with explicit commands, keep round counts low while testing, monitor and stop the daemon when done, and rotate credentials if logs containing token fragments were exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises operational behavior that clearly requires file, network, and shell capabilities, yet it declares no permissions at all. This under-specification prevents users and policy engines from understanding the true privilege boundary, making it easier for the skill to access chat history, write state files, and launch background processes without explicit consent review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose frames the skill as a relay for bot-to-bot discussion, but the described interface also enables arbitrary message sending, daemon lifecycle control, persistent state management, and parsing of ordinary user messages as control commands. That gap is security-relevant because users may authorize the skill for a narrow purpose while it actually supports broader autonomous and operator-driven actions in a group chat environment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger hints include broad natural-language phrases such as discussion requests and common words like '继续', which can plausibly appear in normal conversation. In a group chat with autonomous replies, this increases the chance of accidental activation or state changes, potentially causing the bot to resume, lock topics, or continue multi-agent exchanges without deliberate operator intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The description does not clearly warn users that the skill continuously polls group message history and can autonomously post replies on behalf of the local bot. In this context, the omission is dangerous because users may not realize the skill performs ongoing monitoring and autonomous actions in a shared chat, creating privacy, consent, and operational risks.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The configured control phrases are common natural-language words such as “继续”, “开始”, “讨论”, and “解锁”, and `require_mention` is set to false, so normal group chat messages can unintentionally trigger automation state changes. In this relay skill, unintended activation can start, continue, stop, or retarget multi-agent conversations without explicit operator intent, causing spam, loss of topic control, or automated replies in response to ordinary chat.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs the Feishu tenant access token prefix (`token[:20]`) after retrieval, which exposes sensitive credential material to anyone with access to the log output. Even partial token disclosure increases the risk of credential leakage through log aggregation systems, shared terminals, or support bundles, especially since this skill is designed to run as a background daemon and persist logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal