ClawHub

李高伟自动回复助手

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as a Feishu private-message auto-responder, but it needs review because it can continuously read workplace DMs, send replies automatically, and retain chat metadata with limited consent and retention controls.

Install only if the Feishu account owner and organization explicitly approve automated monitoring and replies. Use dry-run or approval-before-send where possible, narrow the allowed chats and keywords, review the reply templates, and define how the memory log and local cache are retained or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs writing coworker message metadata and reply summaries into a local memory file but does not declare permissions for file write behavior. Undeclared persistence is risky because it creates hidden data retention and weakens reviewability of what private information the skill stores.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior claims continuous scanning and automated replies to private chats, but the implementation summary indicates those core controls are not actually present while unrelated local config and cache persistence exist. This mismatch is security-relevant because reviewers and users may trust the declared workflow while hidden or undocumented behaviors handle data locally in ways they did not consent to.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The code relies on the caller to enforce private-chat filtering but does not verify `dm_only` itself before generating replies. In the skill context, this could cause the auto-responder to answer in unintended contexts such as group chats or other channels, leaking automated internal business guidance to broader audiences and creating privacy or information-disclosure risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manual trigger phrases like '帮我回复' and '自动回复一下' are common conversational language and can easily appear in forwarded or quoted chat content. Overbroad triggers increase the chance of unintended activation, causing the skill to generate or send replies to private conversations without a sufficiently deliberate user action.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The automatic scan is described as running every 30 seconds over unreplied private messages, but the activation boundaries and reply conditions are not tightly constrained. In the context of private coworker chats, ambiguous scanning criteria can lead to continuous monitoring, mistaken classification of conversations, and unauthorized automated responses.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill continuously monitors and automatically replies to private messages but does not present a clear user-facing warning or consent model for that surveillance and automation. In a workplace messaging context, undisclosed monitoring of private chats and automatic response generation creates significant privacy, trust, and compliance risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill directs retention of private coworker message details, sender names, question summaries, and reply summaries in a memory file. Persisting private-chat content outside the messaging platform expands the data exposure surface, increases insider-access risk, and may violate data-minimization or retention requirements.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal