ClawHub

feishu-calendar-event

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Feishu calendar skill that uses Feishu app credentials to read and manage calendar events, with no hidden or unrelated behavior found.

Install only if you intend to let an agent access your Feishu calendar through your own Feishu app. Store the App Secret in environment variables or a secrets manager, do not commit secrets or tokens, grant only the calendar permissions you need, treat event titles/descriptions/locations as sensitive, and require confirmation before creating, updating, or deleting events.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly suggests placing the Feishu App ID and App Secret directly in source code. Hardcoded credentials are prone to accidental exposure through source control, logs, screenshots, or code sharing, enabling unauthorized access to the Feishu tenant and its calendar APIs.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill documents how to obtain a Feishu tenant access token and use it to enumerate calendars and fetch event details, which can expose sensitive personal or organizational scheduling data. While this appears instructional rather than overtly malicious, it omits any warning about privacy, authorization scope, or the sensitivity of calendar contents, increasing the risk of inappropriate data access or handling.

Credential Access

High
Category
Privilege Escalation
Content
## 步骤说明

### 1. 获取 Access Token

使用 web_fetch 工具调用飞书认证接口:
Confidence
90% confidence
Finding
Access Token

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal