ClawHub

Storage Manager

Security checks across malware telemetry and agentic risk

Overview

This Feishu storage skill is broadly coherent, but it ships real-looking embedded Feishu credentials and can use them for remote reads, writes, and uploads without requiring user configuration first.

Review before installing. Do not use this package until the embedded Feishu credentials and table identifiers are removed and rotated, and until it fails closed when credentials are missing. Use a dedicated low-privilege Feishu app/table, expect item names, locations, and selected photos to be uploaded to Feishu, and be cautious with automatic location matching because it can create or update persistent remote records without a confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares only a Bash tool scope but its documented behavior and detected capabilities include environment-variable access, file writing, shell execution, and outbound network use. This creates a permission-transparency gap: users and reviewers cannot accurately assess what the skill can do, increasing the risk of secret exposure, unintended external data transfer, or local system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a storage assistant, but the documented behavior extends to external API access, reading/writing cloud records, uploading images, updating records, installing dependencies, and even hardcoded default credentials/table identifiers. This mismatch is dangerous because users may invoke the skill without understanding it performs networked data operations and local installation steps, and hardcoded identifiers can expose or misuse another tenant's resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds Feishu app credentials and uses them to obtain a tenant access token, enabling authenticated access to external Feishu resources. Hard-coded secrets in a distributable skill are highly sensitive because anyone with code access can extract them and use them to read or modify the associated tenant's Bitable data.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill enumerates all records in the configured Feishu Bitable and creates new records remotely, which expands its access beyond a narrowly local storage helper. In context, broad remote table access increases data exposure because the skill can collect all existing locations and interact with potentially unrelated records in the table.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds live Feishu app credentials and tokens directly in source as fallback defaults. Hard-coded secrets enable unauthorized access to the connected Feishu tenant/bitable by anyone who can read the skill code, which is especially dangerous because this skill is designed to authenticate and write records to external services.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code hardcodes Feishu app credentials, a bitable token, and a table ID directly in the source as fallback defaults. Anyone who can read the skill can reuse these secrets to authenticate to the associated Feishu tenant and access or modify remote storage records, which is a direct secret-exposure issue rather than a normal storage-management feature.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code embeds live Feishu app credentials and table identifiers directly in source as default values, which exposes secrets to anyone who can read the file and enables unauthorized API access. In an agent skill context, this is especially dangerous because the skill performs authenticated remote reads, writes, and file uploads, so leaked credentials can be abused to access or modify external data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The test code hardcodes live Feishu credentials and immediately uses them to authenticate to an external API. Even in a test file, embedded secrets can be extracted from source control, reused by anyone with code access, and enable unauthorized access to external storage data tied to the skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The test file hardcodes live Feishu application credentials and a Bitable token directly into source code, which exposes secrets to anyone with repository or artifact access. Because the script instantiates the storage manager and performs real service operations, these credentials can be reused to access or modify external Feishu data outside the intended test context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that item data, locations, and images are uploaded through the Feishu Bitable API, but it does not warn users that potentially sensitive personal information and attachments will be transmitted to a third-party cloud service. In a storage-management skill, stored item names, locations, and photos can reveal highly sensitive personal or physical-security information, so missing disclosure meaningfully increases privacy and misuse risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README instructs users to configure Feishu application credentials and table tokens but provides no guidance on secure secret handling. This can lead users to hardcode, expose, or improperly share credentials, which may allow unauthorized access to Feishu data or API resources.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill emphasizes fully automatic matching and 'no confirmation' behavior for location assignment, which can silently misfile records when fuzzy matching is wrong. In this context, misclassification affects the integrity and recoverability of a user's inventory data, and could also attach the wrong images or overwrite expected organizational meaning.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation instructs users to export app credentials and tokens but gives no warning that these values are sensitive secrets with broad access to Feishu resources. This can lead to accidental disclosure through shell history, logs, screenshots, shared terminals, or copied setup snippets, enabling unauthorized access to records and files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly advertises automatic location matching and record creation without user confirmation, which can cause unintended writes or updates if the similarity match is wrong. In this context, the tool performs persistent changes to a Feishu table, so a bad match can silently corrupt inventory/location data and propagate mistakes across later searches and updates.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The help text explicitly normalizes operation without secondary confirmation for storage actions, which can encourage silent state-changing behavior in an agent context. In a skill that can add items and upload location photos, skipping confirmation increases the risk of unintended or user-unapproved changes, especially when location matching is automatic.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The add-location-photo flow accepts a local image path and passes it to the manager for upload without any user-facing disclosure that image data may be transmitted to an external service. In this skill context, location photos can reveal private surroundings, documents, or other sensitive household information, so undisclosed transmission materially raises privacy risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hard-coded credentials are present and automatically used without any user-facing disclosure, creating both secret exposure and silent authenticated remote access. This is dangerous because users and deployers may not realize the skill is operating with embedded third-party credentials that grant access to external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill uploads image files and structured record data to Feishu APIs, but the code does not provide clear consent, disclosure, or boundaries around what leaves the local environment. That creates privacy and compliance risk, especially because item names, locations, and images can contain sensitive personal information.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using hard-coded fallback credentials without prominent warning or fail-closed behavior means the skill may silently connect to a real Feishu app/bitable even when the operator did not intend to supply credentials. This increases the chance of accidental data exposure, unauthorized writes, and credential reuse across deployments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code uploads a local file to a remote Feishu endpoint with no explicit consent, warning, or validation in this code path. In an agent skill context, this can cause unintended exfiltration of local user data if the caller passes a sensitive or incorrect file path, especially because the function accepts arbitrary local paths.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using hardcoded Feishu credentials as defaults means the skill will silently operate against a real remote tenant even when the deployer has not configured their own credentials. This creates unauthorized data access and persistence risk, and the lack of disclosure makes accidental misuse more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The upload_image function reads a local file and sends its contents to Feishu over the network, but there is no user-facing consent, warning, or confirmation that local image data will leave the machine. In a skill context, silent exfiltration of local file contents is risky even if the intended purpose is image attachment.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The add_storage_item workflow transmits item names, locations, and optionally images to a remote Feishu bitable without any visible disclosure that the data is being persisted externally. This is a real privacy and data-handling issue because users may assume the tool is only managing local storage metadata.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill reads a local image path and uploads the file contents to Feishu without any explicit consent, warning, or clear disclosure that local files leave the host. This creates a privacy and data-exfiltration risk, especially if users provide sensitive file paths or the agent is used in an environment where local files may contain personal or confidential information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends item names, locations, and updates to Feishu over the network without prominently warning users that their data is being transmitted to an external SaaS platform. While remote sync is part of the feature, the lack of disclosure can cause unintended sharing of sensitive household, inventory, or location information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal