Create a new agent in FeiShu

Security checks across malware telemetry and agentic risk

Overview

This is a setup guide for Feishu multi-agent OpenClaw routing; it uses credentials and persistent config, but those steps are disclosed and fit the stated purpose.

Before installing, review each command, back up ~/.openclaw/openclaw.json, confirm the Feishu account IDs and agent IDs, and avoid pasting app secrets or provider keys into chat or logs. Only configure remote memory embeddings for workspace content you are comfortable sending to that provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs reading an API key from a local auth profile and writing it into configuration, but only says not to echo secrets to users; it does not require redaction in logs, avoidance of shell history exposure, or use of a secret store/environment variable. In an agent skill context, this can cause credential disclosure through command transcripts, config files, debug output, or persistent state if the agent follows the steps verbatim.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal