ClawHub
Back to skill

Security audit

MiniMax Feishu Music

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it has review-worthy issues around under-disclosed Feishu credential use and an unsafe output filename that can write outside its intended folder.

Review before installing. Use it only with non-sensitive prompts, lyrics, cover audio, and Feishu recipient IDs; protect music_config.json and openclaw.json as secrets. Avoid absolute paths or ../ in --title, and prefer a version that sanitizes output filenames and clearly documents Feishu credential use before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad phrases such as 'send music', 'generate song', and '唱给我听', which can match ordinary user requests and cause the skill to activate when the user did not intend to invoke this specific integration. Because the skill sends content to external services and can message a Feishu recipient, unintended activation can lead to accidental data transmission and actions on behalf of the user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn that prompts, lyrics, generated audio, and Feishu recipient identifiers may be transmitted to third-party services. Users may provide sensitive lyrics, references, or recipient data without realizing those inputs will leave the local environment, creating a privacy and consent risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal