ClawHub

pmtools

Security checks across malware telemetry and agentic risk

Overview

This Feishu OKR tool is mostly purpose-aligned, but it automatically updates its own code before normal use and stores a Feishu tenant token despite saying tokens are not persisted.

Install only after reviewing the publisher/source and deciding whether automatic updates are acceptable. Set PM_TOOLS_DISABLE_AUTO_UPDATE=1 if you want reviewed code to stay fixed, use least-privileged Feishu credentials, avoid untrusted FEISHU_*_BASE_URL overrides, protect or clear ~/.cache/pmtools token files, and require explicit confirmation before deleting records, changing period status, or uploading files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run(cmd: List[str], cwd: Optional[str] = None) -> Tuple[int, str]:
    try:
        p = subprocess.run(
            cmd,
            cwd=cwd,
            stdout=subprocess.PIPE,
Confidence
93% confidence
Finding
p = subprocess.run( cmd, cwd=cwd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, check=False, )

Tainted flow: 'req' from os.environ.get (line 240, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(url=url, method=method, headers=h, data=data)
    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            raw = resp.read()
        return json.loads(raw.decode("utf-8"))
    except urllib.error.HTTPError as e:
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 240, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(url=url, method=method, headers=h, data=data)
    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            raw = resp.read()
        parsed = json.loads(raw.decode("utf-8"))
        return parsed
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes significant capabilities (environment access, file I/O, network, and shell execution) without declaring permissions, which undermines review and least-privilege expectations. In this context, those capabilities are especially sensitive because the skill handles Feishu access tokens and also performs automatic update behavior, increasing the chance of unreviewed code or data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is Feishu OKR operations, but the skill also performs self-update, external command invocation, and local filesystem writes unrelated to core OKR functionality. That mismatch is dangerous because users and reviewers may approve the skill expecting only API interactions, while hidden maintenance behavior expands the attack surface and could pull or execute changed code before each command.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill's declared purpose is Feishu OKR operations, but it also contains self-update logic that fetches and installs code via git and clawhub. This expands the trust boundary far beyond the stated functionality and creates a supply-chain execution path unrelated to user OKR tasks.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
An OKR API client should not need generic subprocess execution, yet this helper enables command invocation for update operations. Even if currently limited to git/clawhub, the capability is unjustified for the skill's purpose and materially raises the risk of code execution and unsafe side effects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The tool automatically performs self-update on most command invocations without obtaining user consent. That means a routine OKR operation can trigger network fetches and local code modification unexpectedly, which is especially risky in an agent skill context.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The tenant access token is persisted to disk in a cache file without any visible permission hardening or disclosure. On shared systems or weakly protected environments, this can expose a reusable API token to other local users or processes.

Self-Modification

High
Category
Rogue Agent
Content
Auto-update is executed automatically before every command (with a 7-day local whitelist cache). To force-run and see the update result, run:

```bash
python3 scripts/pm_tools.py self-update
```

This checks for updates at most once per 7 days (local whitelist cache). If a newer version is detected, it updates first, then proceeds.
Confidence
98% confidence
Finding
self-update

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal