ClawHub

Feishu Task Workbench

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu task workbench that stores local task metadata and routes messages to task sessions for its stated purpose.

Install this only if you want Feishu messages to manage separate OpenClaw task sessions. Review the host settings before enabling cross-session tools, and avoid putting highly sensitive information in task titles or summaries because the local registry stores them with session keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to read and write local registry files but does not declare those capabilities as explicit permissions. Hidden or undocumented file access increases the risk of unexpected persistence, unauthorized modification of local state, and bypass of host-side policy expectations about what the skill can do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior claims isolated task routing via sessions_spawn, sessions_send, and sessions_history, but the actual described implementation appears to rely on a local JSON registry and does not perform the promised session isolation. This mismatch can mislead operators into believing tasks are separated and safely routed when they may instead be stored locally and handled without the expected isolation guarantees.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to reveal the registry file path to the user without warning or access controls. Exposing internal persistence locations can aid attackers in targeting local files, inferring multi-tenant layout, or crafting follow-on requests that manipulate sensitive on-disk state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly persists task titles, summaries, status, and session linkage under `tasks/feishu/<account>/<peer>.json`, but the documentation provides no user notice, consent flow, retention policy, or guidance on handling potentially sensitive task content. In a chat workbench context, persisted metadata can reveal project names, work progress, counterpart identifiers, and conversation-derived summaries, creating privacy and compliance risk if users assume the interaction is ephemeral.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The protocol defines any ordinary plain-text follow-up as implicit routing to the current task, which creates an overly broad control boundary. In a multi-task agent, this can cause user messages that are administrative, sensitive, or intended for the parent chat to be silently forwarded into an isolated task session, leading to context confusion, accidental data disclosure, or unintended tool execution in the wrong task.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The fallback rule in the routing decision tree sends all unrecognized messages to the current task, making misrouting the default behavior. In this skill context, where one window manages multiple independent workstreams backed by separate sessions, that increases the chance that sensitive instructions, task-management requests, or unrelated content are delivered to the wrong session and acted on with the wrong context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal