ClawHub

feishu-lark-cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Lark/Feishu messaging skill, but it can read and change real chat data when authorized.

Install only if you want an agent to operate on your Lark/Feishu workspace. Grant the narrowest OAuth scopes, confirm recipients, group members, identity, and message content before state-changing actions, avoid broad all-chat searches unless necessary, and treat downloaded chat attachments as sensitive untrusted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest description understates the skill's actual capabilities by omitting sensitive operations such as message recall, forwarding, pin management, chat creation/update, and chat-link retrieval. This creates a transparency and consent problem: an agent or user selecting the skill based on the manifest may authorize broader messaging and group-management actions than they reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Message read-status querying exposes behavioral metadata about who has seen a message and when, which is privacy-sensitive and can support surveillance or social engineering. Because this capability is not reflected in the stated purpose, it represents hidden access beyond user expectations and increases the risk of misuse under bot identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises searching chat history and downloading files but does not include an explicit warning that these operations can access private conversations and attachments. In an agent setting, that omission can normalize broad data access and lead users to invoke the skill without understanding the confidentiality impact.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The documentation instructs the agent to create chats and invite members, which changes workspace state and affects other users, but it does not prominently require confirmation before performing those actions. In an agent setting, this can lead to unintended group creation or unauthorized invitations if user intent is ambiguous, especially because the commands operate on real tenant resources.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The example chains group creation directly into sending a welcome message, which can cause the agent to post live content to a newly created chat without a separate confirmation step. That increases the risk of accidental or premature communications to real users, turning a state-changing action into an externally visible message broadcast.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill exposes a command for listing conversation messages, including sender names, message content, mentions, thread IDs, and recalled/edited status, but it does not prominently warn that the output may contain sensitive personal, business, or confidential data. Although it notes required read permissions in troubleshooting, that is not the same as a clear privacy and least-privilege warning; an agent or user could retrieve and surface private chat contents more broadly than intended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly enables batch retrieval of full message content and sender identity data, but it provides no warning about handling sensitive communications, minimizing collection, or verifying authorization and user intent before access. In a messaging context, this increases the risk of unnecessary exposure of private conversations, personal data, and confidential business information through overbroad or casual use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal