ClawHub

飞书日历管理(中文版)

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu calendar skill, but it under-discloses write access and handles OAuth credentials in an unsafe way.

Review carefully before installing. Use your own Feishu app credentials instead of the embedded secret, grant only the scopes you intend, protect or remove the saved token file, and require explicit user confirmation before allowing the skill to create calendar events or refresh stored credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The document states only read-only calendar permission is needed, yet the examples create calendar events and refresh tokens, both of which exceed read-only access. This mismatch can mislead reviewers and users into granting or trusting broader capabilities than disclosed, enabling unintended modification of calendar data and credential lifecycle operations.

Scope Creep

High
Confidence
95% confidence
Finding
The skill's demonstrated capabilities include creating events and updating a local token file, which go beyond a narrowly scoped calendar-query skill. Because it handles both user data modification and credential persistence, a caller could trigger more powerful actions than expected from the stated context.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The documentation contains a hardcoded app_secret, which is a direct credential exposure. Anyone with access to the skill file can reuse the secret to obtain app tokens and participate in token refresh flows, potentially compromising the associated Feishu application and downstream user access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document contains a hardcoded Feishu app secret directly in the OAuth setup example. Exposing a real client secret in repository documentation enables unauthorized parties to impersonate the application in OAuth flows and obtain tokens or abuse the app's granted permissions. In a calendar skill, this is especially dangerous because the same document also explains how to exchange codes for user tokens.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough to overlap with ordinary conversation about schedules or calendars, increasing the chance of accidental invocation. In this skill, that matters because the documented capabilities include authenticated reads and writes to a real calendar, so mis-triggering can expose private schedule data or create unintended events.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents actions that modify user data and local credentials, but it does not provide explicit warnings or confirmation requirements before performing them. Without clear notice, a user may unintentionally authorize event creation or token refresh/persistence, leading to unauthorized state changes or mishandling of sensitive credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide not only exposes a hardcoded app secret but also instructs users to save access_token and refresh_token to a local JSON file under the skill workspace without any guidance on file permissions, encryption, rotation, or exclusion from source control. If that file is read by other local users, malware, backups, or accidentally committed, attackers could access or maintain access to a user's personal Feishu calendar data and perform calendar actions as that user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script retrieves a user's calendar and event data from Feishu using a stored user access token, but there is no runtime disclosure, consent check, or user-visible indication that personal calendar contents will be transmitted to a third-party API. In a calendar-management skill this behavior is functionally expected, but it still processes sensitive personal scheduling data, so lack of explicit notice/consent creates a real privacy and authorization risk if invoked unexpectedly or in a broader agent workflow.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal