Feishu Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to send reports to Feishu, but it uses a fixed Feishu webhook that could receive a user’s report data.

Install only if you control the listed Feishu webhook or replace it with your own before use. Treat anything sent through this skill as leaving OpenClaw for a Feishu/Lark channel, and avoid sending private reports, job-tracker details, financial information, or alerts until the destination and approval flow are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill embeds a concrete external Feishu webhook URL and instructs operators to send report contents to it, but provides no warning, consent step, or data-classification guidance before transmitting potentially sensitive reports off-platform. In an agent setting, this creates a real risk of unintended exfiltration of internal, user, or alert data to a third-party endpoint, especially because the skill explicitly frames the webhook as a primary delivery channel.

VirusTotal

No VirusTotal findings

View on VirusTotal