ClawHub

飞书文档权限自动添加

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to fix Feishu document access, but it handles app secrets and document permissions in ways users should review carefully before installing.

Install only if you intentionally want this skill to change Feishu document permissions. Before use, verify exactly who will receive access, require confirmation for each permission change, avoid granting full_access unless necessary, and do not paste Feishu App Secret into chat; configure credentials through a protected secret store or local secure settings instead. Rotate any secret already pasted into a conversation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly guides the agent to collect Feishu App ID/App Secret from the user in chat and then save them to a local config file. That exceeds the narrow task of permission repair and creates a credential-handling workflow inside a conversational skill, increasing the chance of secret exposure, retention, and misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes automatic permission grants on Feishu documents but does not prominently warn that this changes document access control and may expose content to additional users. In a skill whose core function is modifying ACLs, missing explicit consent/scope warnings can lead to unintended sharing or over-permissioning, especially if triggered automatically after document creation or in response to access complaints.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description is broad enough that the skill could trigger on many ordinary Feishu document interactions, not just explicit permission-fix requests. Because the skill can read config, obtain access tokens, and modify document permissions, accidental invocation can cause unintended privilege changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill tells users to send App Secret directly in chat but does not present a strong warning or alternative secure channel. Secrets pasted into conversation may be logged, retained, exposed to other tools/plugins, or visible in transcripts, making credential compromise much more likely.

Ssd 3

High
Confidence
98% confidence
Finding
This section operationalizes a full secret-ingestion pipeline: ask for App Secret in chat, validate it by calling Feishu, and persist it into ~/.openclaw/openclaw.json. That directly increases the attack surface for credential theft through chat logs, local file compromise, prompt leakage, or unauthorized reuse by other skills/processes.

Ssd 3

Medium
Confidence
79% confidence
Finding
The skill directs the agent to derive ownerOpenId from session context and optionally write it into persistent config. Although less sensitive than an app secret, it is still identity data, and harvesting or persisting it without explicit consent/data-minimization controls can create privacy issues and enable unintended permission assignments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal