ClawHub

王昊自动回复助手

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Feishu auto-reply skill, but it can monitor private workplace messages and send replies without Wang Hao approving each one.

Install only if Wang Hao and the organization explicitly want an automated Feishu responder with access to private chats, group mentions, internal documents, and outbound reply authority. Before use, configure chat and source allowlists, require approval for sensitive or uncertain replies, restrict or sandbox attachment transcription, and set a short retention/redaction policy for the memory log.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill tells the agent to invoke `exec` and run a local Python script on downloaded message attachments. That introduces arbitrary local code-execution capability into a messaging auto-responder, expanding its privileges beyond message handling and creating a path for abuse if file paths, scripts, or execution context are manipulated.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill authorizes access to broad internal knowledge bases including HR, finance, IT, brand, and general office resources, which exceeds the stated scope of replying to Wang Hao's team business questions. This over-broad data access increases the chance that the agent retrieves and discloses internal information unrelated to the requester's need or authorization.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manual trigger phrases are very broad and overlap with ordinary conversation, making accidental activation likely. In this skill, a false trigger is especially risky because activation can lead to message retrieval, knowledge-base access, and external replies sent as Wang Hao's assistant.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill is designed to scan messages every 20 seconds and directly reply to coworkers without Wang Hao's confirmation. That creates a meaningful integrity and privacy risk because the agent can autonomously send incorrect, unauthorized, or sensitive responses into real conversations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs message search, private-message processing, knowledge-base lookup, and persistent logging but does not define privacy boundaries, minimization rules, retention limits, or user notice. This makes inappropriate collection and secondary use of coworker communications more likely, especially in private chats.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill requires storing coworkers' names, message IDs, message contents, and reply summaries in a persistent memory file. This creates a secondary repository of internal communications outside the original chat system, increasing exposure risk, retention risk, and the chance that sensitive or personal data is later accessed for unrelated tasks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal