飞书任务智能体

Security checks across malware telemetry and agentic risk

Overview

This Feishu task skill is mostly purpose-aligned, but it installs persistent automation and broad workspace routing behavior that should be reviewed before use.

Install only if you want this skill to manage Feishu tasks and recurring automation. Before using registration, review the cron jobs it will create, the AGENTS.md routing rule it will write, the Feishu/OpenClaw account it will use, and the contents of daily.json before allowing it to be uploaded to Feishu.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises no declared permissions, yet the analysis indicates it can read environment variables and perform file reads/writes. That creates a trust and containment problem: operators and users cannot accurately assess what data the skill may access or modify, and hidden filesystem/config access can expose secrets or alter local state unexpectedly.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The description-behavior mismatch is security-relevant because the skill appears to access OpenClaw configuration and normalize task actors in ways not disclosed by the top-level description, while also failing to implement some advertised functions. Undocumented config parsing can expose sensitive local configuration or cause unintended side effects, and mismatches between stated and actual behavior undermine informed consent, review, and safe routing decisions.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The workflow gives the agent authority to enumerate all cronjobs and modify a cronjob message based on discovered task data, which expands the skill from Feishu task execution into scheduler administration. That broad capability can let a task-processing agent alter unrelated scheduled jobs or retarget future executions if task metadata or cron matching is wrong, creating a cross-system integrity risk.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: A Feishu task skill is instructed to perform scheduler-administration actions that are not essential to ordinary task handling, violating least privilege and increasing blast radius. If the agent is compromised, confused, or given adversarial task content, it can modify scheduled task configuration rather than only operating on the current Feishu task.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The registration workflow modifies the current agent's AGENTS.md to impose broad routing rules that affect all future user inputs, not just Feishu-task registration. This creates a persistence and scope-expansion risk: a user asking to register one capability can silently alter the agent's global behavior, potentially redirecting unrelated future requests into this skill and changing trust boundaries for the whole workspace.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill enables implicit invocation globally without defining narrow trigger constraints or exclusion conditions, which can cause the agent to route unrelated user input into this skill unexpectedly. Because this skill can create Feishu tasks, perform polling-based task execution, register/init a task agent, and generate or refresh daily.json, accidental or prompt-manipulated invocation could trigger side effects or unauthorized workflow actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example explicitly instructs scheduled generation of a weekly report using Feishu messages, tasks, and calendar context, but does not include any user-facing notice, consent step, or data-minimization boundary. In a task automation skill, this creates a real privacy and over-collection risk because the scheduled run may access broad personal or organizational context beyond what the user visibly requested at execution time.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow explicitly instructs the agent to serialize and transmit generated `daily.json` content to an external Feishu profile, but it provides no requirement to validate, minimize, or obtain consent for the data being sent. If the source daily report contains sensitive internal project details, personal data, or secrets, this step can cause unintended data exposure to an external system or broader audience within Feishu.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The workflow directs the agent to run shell commands that update cron configuration without any confirmation, warning, or guardrails around modifying scheduled automation. Silent scheduler changes are risky because a malformed replacement or ambiguous cronjob selection can persistently alter future system behavior and be hard to detect or recover from.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow instructs modifying AGENTS.md without an explicit warning that a workspace file will be changed. Hidden or insufficiently disclosed file mutations are dangerous because they create persistent configuration changes that users may not expect, making later agent behavior harder to audit and potentially enabling policy injection through a seemingly routine registration step.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow creates recurring cron jobs during registration but does not explicitly warn the user that persistent scheduled tasks will be installed in the environment. This is dangerous because scheduled execution can outlive the current session, trigger autonomous actions later, and consume tools or modify files repeatedly without the user realizing registration had enabled ongoing background behavior.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The rules require embedding non-user-visible internal metadata and workflow instructions into the scheduled message payload, including a task GUID and hidden processing directives. This creates a covert control channel where internal orchestration data is mixed with user-facing task content, increasing the risk of metadata leakage, prompt injection across task boundaries, and unintended privilege/context propagation when the scheduled job later executes.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The hidden instruction embedded in the cron message tells the agent to use Feishu message, task, and calendar context to generate output, even though that scope is not fully visible to the end user. Hidden processing directives that expand contextual data access are dangerous because they can cause silent collection, synthesis, and exposure of sensitive information from unrelated conversations, meetings, or tasks during later automated runs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal