ClawHub

OpenClaw Feishu Message

Security checks across malware telemetry and agentic risk

Overview

The plugin mostly does Feishu/Lark messaging as advertised, but it also bundles and persists contact data and can send workplace messages without an enforced confirmation step.

Install only if you trust the publisher and are comfortable giving this plugin Feishu/Lark bot authority to search employees and send messages. Delete the bundled contact cache before use, configure the Feishu account explicitly, consider setting allowSend=false unless you have a confirmation workflow, and avoid shared hosts where cached contact data could be exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill reads configuration from an environment-selected path and from the user's persisted OpenClaw config in the home directory, which may contain Feishu credentials and other unrelated channel settings. For a messaging-focused skill, silently reaching into global/local config expands data access beyond explicit inputs and can expose or misuse sensitive configuration if the runtime or environment is manipulated.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The employee search path requests and returns broad profile fields including email, mobile, multiple platform identifiers, department IDs, title, and even the raw directory object. That exceeds the stated messaging/follow-up purpose and can turn the tool into a directory-enumeration and personal-data disclosure primitive, especially when callers only need enough data to identify a recipient.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When direct search is unavailable or sparse, the code falls back to listing users from the root department or generic user listing, then filters client-side. This materially broadens the tool from targeted lookup into bulk directory access, enabling enumeration of employee records that were not directly requested.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cache persists personally identifiable contact data such as name, email, mobile number, and multiple Feishu user identifiers to a fixed path on disk under /root without any access controls, encryption, retention policy, or user disclosure. In the context of a messaging skill, this creates a real privacy and data-exposure risk because local users, backups, logs, container escapes, or compromised hosts could recover a durable contact directory that users may not expect to be stored.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code accesses sensitive configuration sources, including a path controlled by OPENCLAW_CONFIG_PATH and a persisted home-directory config, without any user-facing disclosure, consent, or boundary checks. Because these sources can contain application secrets, silent loading increases the risk of inadvertent credential exposure, unauthorized account use, or confusing cross-tenant behavior in a skill whose stated purpose is only messaging.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The follow-up action can resolve a recipient from partial identifying information, generate a message automatically, and send it without a mandatory confirmation step. In an agent setting, that combination increases the risk of mis-targeted messages, unwanted outreach, and disclosure of work status or internal context to the wrong person due to ambiguous resolution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This action resolves contacts from identifiers or search terms and can send arbitrary content immediately, which creates a real risk of accidental disclosure or social-engineering misuse if the agent is induced to message the wrong recipient. The danger is amplified by automatic recipient resolution and absence of a required user-approval checkpoint before dispatch.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal