colleague-skill
Security checks across malware telemetry and agentic risk
Overview
This skill openly collects workplace chats and documents to build persistent coworker personas, but it requests broad account tokens and can perform account/API actions without clear scoping or confirmation.
Install only if you are authorized to collect and process the relevant coworker/workspace data. Use least-privilege, preferably read-only app credentials; avoid DM/private-channel collection unless absolutely necessary; require explicit approval before any API action that sends or modifies data; review generated skills before invoking them; and delete local token/config, knowledge, and version archives when finished. No hidden exfiltration endpoint is evident in the provided artifacts, but the documented access level is broad enough to require careful review.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send messages or perform other Feishu API actions using the user's identity while trying to collect data.
This tells the agent to create/run ad-hoc API code and send a Feishu message from the user's account to discover a private chat ID, without a clear explicit confirmation step.
当用户有了 user_access_token 但没有 chat_id 时,你应该**自己写 Python 脚本**来获取...用 user_access_token 向对方的 open_id 发一条消息...content": "你好"
Require explicit user confirmation before any send/write API call, prefer read-only flows, avoid ad-hoc generated API scripts where possible, and ask the user to provide chat IDs or approve each account action.
A user who follows the setup may give the agent access to private chats, workspace messages, and message-sending authority under their account.
The skill asks for app secrets and user access tokens with authority to read and send workplace messages. This is sensitive delegated access and is not clearly bounded by the registry credential metadata.
用户需要提供以下信息:1. **飞书应用凭证**:`app_id` 和 `app_secret`... `im:message` — 以用户身份读取/发送消息... `--user-token {user_access_token}`Use the minimum possible scopes, separate read-only collection from send permissions, avoid pasting long-lived tokens into chat, declare credential/config requirements clearly, and rotate or revoke tokens after use.
Installing the Slack integration may grant the collector access to sensitive private channel or direct-message history if the app is approved with those scopes.
The Slack setup requests private-channel and DM history permissions through a bot token, which can expose broad workspace communications beyond a narrowly selected colleague dataset.
`groups:history` | 读取 private channel 历史消息... `im:history` | 读取 DM 历史消息... 复制 **Bot User OAuth Token**(格式:`xoxb-...`)
Create a dedicated least-privilege app, omit DM/private-channel scopes unless strictly necessary, restrict the bot to specific channels, and review workspace/admin approval carefully.
Sensitive coworker communications or documents can remain on disk and influence future generated skills even after the original collection task is over.
The design persistently archives raw messages/emails/docs and generated skill versions, making collected private content and derived instructions reusable across later sessions.
`knowledge/` # 原始材料归档 ... `messages/` ... `emails/` ... `versions/` # 历史版本存档
Limit what is collected, exclude private or unnecessary data, review generated skills before use, define deletion/retention rules, and clear the knowledge and version directories when no longer needed.
A compromised dependency or unexpected version could affect the local environment used for collection.
The setup relies on external Python packages, browser automation components, and a global npm package. This is expected for the stated integrations, but users should still verify provenance and dependency versions.
`pip3 install -r requirements.txt` ... `playwright install chromium` ... `npm install -g feishu-mcp`
Install in an isolated environment, pin and review dependencies where possible, and verify the GitHub/npm/PyPI sources before use.