ClawHub

Feishu Plugin Conflict Fix

Security checks across malware telemetry and agentic risk

Overview

This is a visible Feishu/OpenClaw troubleshooting guide, but some reset commands can remove Feishu plugin files and restart services if a user chooses to run them.

Install or use this only for Feishu/OpenClaw troubleshooting. Before running reset commands, back up ~/.openclaw/openclaw.json, list what matches ~/.openclaw/plugins/feishu*, confirm a gateway restart is acceptable, and verify the @larksuite/openclaw-lark package source and Feishu permissions in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises very broad trigger phrases such as '飞书冲突', '工具冲突', and 'TTS 语音', which can match many benign support conversations and cause the skill to activate when not specifically needed. In a skill that contains configuration changes, restarts, plugin toggling, and reset commands, over-broad invocation materially increases the chance that disruptive or destructive guidance is surfaced in the wrong context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The '紧急恢复' section includes backup, deletion, reinstall, and restart operations, but it does not prominently warn about service interruption, data loss, plugin removal scope, rollback steps, or the need to verify paths before execution. Because this is operational guidance likely to be copied verbatim, the lack of explicit safety warnings makes accidental destructive execution much more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal