Feishu Doc Creator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu document-creation skill, but it uses app-level credentials and can automatically change document ownership and sharing visibility, so users should review it before installing.

Install only if you trust the publisher and have approved the Feishu app permissions. Use a least-privileged Feishu app, review who can invoke the skill, and be especially careful with wen_admin mode because it can transfer control, add managers, and make documents visible across the enterprise.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes capabilities to read environment variables, local configuration files, and access the network, but it does not declare corresponding permissions. This creates a transparency and consent problem: an agent or user may invoke the skill without realizing it can access local secrets from ~/.openclaw/openclaw.json or FEISHU_APP_SECRET and then use them for remote API calls. In a credential-handling skill, undeclared secret and file access increases the chance of unintended privilege use or abuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior omits several security-relevant actions: reading local credential files, using environment secrets, querying contact APIs, granting full_access permissions, making documents enterprise-visible in wen_admin mode, and not actually transferring ownership for slides despite claiming automatic transfer. This mismatch is dangerous because users and orchestrators may authorize a seemingly simple document-creation skill while it performs broader identity, permission, and sharing operations that materially affect data exposure and access control.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The function explicitly enables tenant-wide link sharing for created documents by setting share_entity to tenant and access to view. That broadens access beyond the requesting user and is not obvious from the skill description, so sensitive content could become visible to anyone in the organization without the creator understanding that exposure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill can automatically transfer document ownership and, in wen_admin mode, make documents visible within the enterprise, yet the documentation lacks a clear warning and explicit consent flow around these actions. Those operations change access control and data visibility, so burying them in feature text increases the risk of accidental over-sharing or loss of intended ownership boundaries.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: In normal mode the script transfers ownership of newly created documents to the supplied user_open_id, and in other flows it may add collaborators or broaden sharing, all without explicit user confirmation or a visible warning. In an agent-driven context, silent permission and ownership changes are risky because they can be triggered on behalf of a user with little opportunity to notice or object.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal