ClawHub
Back to skill

Security audit

feishu-calendar-meeting

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Feishu calendar helper that openly uses a Feishu token to create real calendar events and video meetings.

Install only if you want an agent to help create Feishu calendar meetings. Keep the Feishu token private, restrict access to the token file, avoid printing the token in logs or chat, and review the calendar ID, title, time, and video-meeting setting before sending the API request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs reading a user access token from a local file and using it in API calls, but provides no guidance on secure handling, redaction, least-privilege use, or avoiding accidental disclosure in logs/history. Because the token grants access to the user's Feishu resources, mishandling it could enable unauthorized calendar access and further account actions within the granted scopes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to create calendar events and video meetings through the Feishu API, which modifies the user's remote calendar state, but it does not clearly warn that executing the workflow will create live calendar entries. In an agent setting, insufficient disclosure increases the risk of unintended actions, user surprise, or social-engineering abuse where the user does not realize a real external side effect will occur.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.