ClawHub

Feishu Base

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu Base management tool, but it can modify Feishu business data and upload user-supplied local or remote files when invoked.

Install this only if you want OpenClaw to use your Feishu credentials to read and modify Feishu Base data. Keep allowDelete disabled unless deletion is truly needed, specify the target Base/table/account for writes, review schema changes before running them, and use attachment actions only with trusted file paths and URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code broadens its effective capability from Base/Bitable management into Feishu Drive enumeration by calling drive.v1.file.list and filtering results to discover candidate bases. This is a scope-expansion issue because it enables listing Drive contents beyond the narrowly described Base operations, which can expose file metadata and increase data discovery surface with existing credentials.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The wiki link resolution logic calls wiki.space.getNode and wiki.spaceNode.list to resolve Base links, extending access into Feishu Wiki beyond the stated Base/Bitable management scope. With existing credentials, this can enumerate wiki node metadata and indirectly reveal linked resources, increasing the blast radius of the skill beyond what users may expect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code fetches arbitrary attacker- or user-controlled URLs and loads the full response into memory before uploading it onward. In an agent context, this creates SSRF and data-exfiltration risk because the skill can be induced to contact internal services, cloud metadata endpoints, or other unintended network targets outside the stated Feishu-only scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper accepts an arbitrary file_path, resolves it, and reads the file contents from local disk for upload. In an agent runtime, this expands the skill into a local file read primitive that can expose secrets, credentials, or sensitive host files unrelated to Feishu Base management.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin explicitly supports credential resolution from runtime context and persisted OpenClaw config files, which can cause actions to run under a different Feishu account than the user expects if account selection is ambiguous. In a tool that can inspect schema, read records, mutate data, and perform destructive operations, unclear credential-source behavior increases the risk of unauthorized data access or modification across accessible Feishu resources.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance encourages broad use based on natural-language intent such as adding customers, without clear limits or mandatory confirmation boundaries. In a skill that can mutate records, tables, and fields, vague triggers increase the chance of accidental activation and unintended writes against the wrong Base or table.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises create, update, upsert, delete, and schema mutation operations without prominent user-facing warnings or confirmation requirements. Because these actions can alter or destroy business data and structure, omission of strong safety prompts makes accidental or socially engineered destructive changes more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal