Feishu Multi-Bot

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Feishu/Lark multi-bot configuration helper, with a real but manageable secret-handling caution.

Install/use is reasonable if you need Feishu multi-bot routing. Treat AppSecrets carefully: run the helper only in a private shell, avoid saving commands with real secrets in history, review the generated JSON before merging it into ~/.openclaw/openclaw.json, and keep Feishu app permissions limited to what the bots need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script requires Feishu AppSecret values to be passed as command-line arguments and then prints those secrets back into generated JSON output. Command-line arguments may be exposed through shell history, process listings, CI logs, or terminal scrollback, so this creates a real credential disclosure risk even though the script's purpose is configuration generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal