ClawHub
Back to skill

Security audit

Feishu Multi Agent Manager

Security checks across malware telemetry and agentic risk

Overview

This Feishu setup skill is mostly purpose-aligned, but it stores bot secrets in local config/backups and broadens agent permissions with limited consent controls.

Review before installing. Use a test OpenClaw environment first, avoid pasting production Feishu App Secrets into chat, inspect ~/.openclaw/openclaw.json and backup files after use, protect or delete backups containing secrets, use simple safe agent IDs, and only allow inter-agent communication for agents that should share access and context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill advertises capabilities related to environment access while declaring no required permissions, which creates a transparency and consent gap. In a skill that provisions multiple agents, validates credentials, and edits configuration, undeclared env access could expose secrets or enable behavior the user did not explicitly authorize.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill automatically appends every newly created agent ID to the global `config.tools.agentToAgent.allow` list during creation, expanding inter-agent communication privileges beyond what is necessary to configure Feishu bots. This increases the blast radius of any compromised or misconfigured agent and silently changes the system's trust boundaries without explicit per-agent user consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated purpose is configuration assistance, but it also silently modifies the global inter-agent communication allowlist, expanding which agents may communicate through agent-to-agent tooling. That is a material capability change beyond simple setup and can broaden lateral access or message routing in ways the user may not expect.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill not only creates agents but also scaffolds persistent workspace files such as `SOUL.md`, `AGENTS.md`, and `USER.md` containing behavior prompts and profile templates. Omitting this from the description reduces transparency about persistent state creation and prompt injection surface added to each agent workspace.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to paste Feishu App Secret values into a chat-based assistant workflow. Secrets entered into conversational channels may be logged, retained in transcripts, exposed to other agents or operators, or mishandled by downstream tooling, creating a realistic credential disclosure risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The documented trigger '开始配置' is broad and lacks scope constraints or confirmation requirements. For a skill that can modify openclaw.json, back up files, and batch-create agent configurations, an overly generic activation phrase increases the risk of accidental or socially induced invocation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to provide AppID and AppSecret for batch creation and validation but does not include warnings about secret handling, storage, logging, or configuration-file modification. Because this skill manages multiple credentials and edits persistent configuration, missing guidance materially increases the chance of secret leakage or unsafe deployment practices.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists Feishu `appId` and `appSecret` into `openclaw.json` and also creates plaintext backups of that configuration, but it does not clearly warn the user that secrets will be stored on disk and duplicated in backup files. This can expose credentials to other local users, backup systems, logs, or accidental file sharing, especially because the skill advertises automation rather than secret-handling risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code writes credentials, configuration, and agent workspace files to disk during execution without a clear user-facing warning or consent checkpoint immediately before persistence. Because the data includes Feishu secrets and behavioral/profile files, unexpected disk writes can expose sensitive information to local users, backups, logs, or other tooling.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill derives the home directory from environment variables and stores configuration and secrets under that path without prominently disclosing the exact storage destination in the execution flow. While not inherently malicious, it can cause secrets to be written to an unexpected location, especially in shared, containerized, or misconfigured environments.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented workflow tells users to submit sensitive App Secret material directly in assistant messages. Chat channels are commonly stored in logs and histories and may be visible to admins, support tools, or integrated systems, so this materially increases the chance of credential leakage and account compromise.

Ssd 3

Medium
Confidence
96% confidence
Finding
The bulk workflow encourages users to provide multiple credentials at once, concentrating several sensitive secrets into a single interaction. That increases blast radius if the conversation is logged or exposed, because compromise of one transcript can reveal all bot credentials for the deployment.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to paste full App ID and App Secret into the chat workflow, causing secrets to transit and potentially persist in chat history, session logs, telemetry, or debugging traces. In an agent framework, chat channels are often less controlled than dedicated secret inputs, so this meaningfully increases the chance of credential disclosure.

Ssd 3

Medium
Confidence
86% confidence
Finding
The generated `USER.md` template directs agents to learn and persist user identity, preferences, and notes for personalization. Persistently recording personal data without clear consent, scope limits, retention controls, or minimization creates privacy and data-handling risk if the workspace is accessed, synced, or reused.

Ssd 3

Medium
Confidence
90% confidence
Finding
Several agent templates instruct persistent recording of user preferences, business details, legal context, financial data, and work history into memory files. Because these categories can include sensitive personal and organizational information, the generated behavior broadens long-term data collection without consent boundaries or classification-aware storage safeguards.

Hidden Instructions

High
Category
Prompt Injection
Content
| 角色 | 职责 | 表情 |
|------|------|------|
| main | 大总管 - 统筹全局 | 🎯 |
| dev | 开发助理 - 技术架构 | 🧑‍💻 |
| content | 内容助理 - 文案创作 | ✍️ |
| ops | 运营助理 - 用户增长 | 📈 |
| law | 法务助理 - 合同审核 | 📜 |
Confidence
87% confidence
Finding

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.