ClawHub

Feishu Webhook Skill

Security checks across malware telemetry and agentic risk

Overview

This is a Feishu/Lark messaging helper whose external sending and image upload behavior is aligned with its stated purpose, but users should handle webhook URLs and tenant tokens carefully.

Install this only if you want an agent to send selected content and images to Feishu/Lark. Treat webhook URLs and FEISHU_TENANT_ACCESS_TOKEN as secrets, avoid passing tokens on the command line, use the least-privileged token available, and confirm the destination and content before sending sensitive internal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
72% confidence
Finding
The skill is framed as a webhook-sending utility, but the documentation also discusses reply/edit message APIs, which are broader message-management capabilities than a simple inbound webhook. That scope expansion can mislead users about what data access and actions are involved, increasing the chance of overprivileged integrations or unintended API usage.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger keywords are very broad (`消息`, `通知`, `webhook`, `Feishu`, etc.), so the skill may activate in unrelated conversations involving generic messaging terms. In this context, unintended invocation is risky because activation could cause sensitive user content or webhook endpoints to be processed for external transmission.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill does not clearly warn users that message content, images, and possibly credentials or webhook identifiers will be transmitted to an external Feishu service. In a messaging/integration skill, this omission is materially dangerous because users may provide sensitive operational, personal, or internal data without understanding the external disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to obtain and use a tenant_access_token from the environment without any warning that this token is a sensitive credential. In an agent skill context, this increases the chance the token will be mishandled, logged, echoed back in chat, or reused unsafely, which could enable unauthorized access to Feishu APIs within the tenant.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Documenting --token <tenant_access_token> as a normal usage pattern encourages passing secrets on the command line, where they are commonly exposed through shell history, process listings, audit logs, and terminal recordings. In an agent-assisted workflow, this is especially risky because users may follow the example verbatim, causing credential leakage that could let an attacker send messages or interact with Feishu resources as the tenant.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal