ClawHub

Feishu Log

Security checks across malware telemetry and agentic risk

Overview

This Feishu logging skill is mostly aligned with its stated purpose, but it includes hardcoded Feishu credentials/tokens, broad tenant-level permissions, plaintext local secret storage, and automatic full-access sharing that require review before installation.

Install only after reviewing and removing the embedded Feishu credentials/tokens, rotating any exposed secrets, and configuring your own least-privilege Feishu app. Treat this as a cloud-writing tool: verify the destination folder, collaborator open_id, and permission level before logging sensitive meeting notes or work records, and avoid storing App Secrets in plaintext ~/.openclaw files if your environment provides a safer secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a default Feishu App ID and App Secret directly in source code, causing anyone with access to the skill to obtain reusable API credentials. Hard-coded secrets are especially dangerous here because the skill's purpose is log writing, not distributing shared credentials, and these credentials can enable unauthorized access to Feishu resources tied to the app.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill description suggests users merely provide log content, but this script also provisions persistent API credentials on disk under the user's home directory. That mismatch expands the trust boundary: a user may invoke a seemingly simple formatting/logging skill without realizing it establishes long-lived access to their Feishu workspace.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads and persists Feishu app credentials from a shared local ~/.openclaw/workspace/.env file even though its advertised purpose is only to organize user-provided logs and write them to Feishu docs. Storing long-lived secrets on disk expands the blast radius if the workspace is readable by other tools, users, or compromised processes, and the code also rewrites the file wholesale rather than using a safer secret store.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest says the skill writes organized logs to Feishu documents, but this function also grants full_access collaborator permissions on folders or documents. That is a broader capability than simple logging and can change access control in the user's Feishu workspace, potentially exposing or delegating management of documents beyond what users expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
In the main flow, the skill automatically adds the configured user as a full_access collaborator to multiple folders and the final document. Automatic ACL modification is broader than the stated logging purpose and could be abused or misconfigured to grant powerful access to the wrong Feishu identity across an entire folder hierarchy.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The script lists files/folders in Feishu Drive to discover or reuse folders, which grants broader read visibility than is strictly required for a narrowly scoped log-writing tool. In the context of a skill advertised as simply recording user-provided logs, this expands data exposure and can reveal metadata about unrelated documents and folder names if the token is overprivileged or logs/errors are later exposed.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill reads Feishu credentials from a local OpenClaw config file in addition to environment variables, expanding its access to sensitive local secrets beyond what the manifest clearly discloses. In a skill that is supposed to format user-provided logs and write them to Feishu, silently harvesting credentials from local files increases the chance of unintended secret use and cross-account actions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code embeds a hard-coded Feishu appId and appSecret as a fallback, which is a direct secret exposure and enables unauthorized reuse by anyone with access to the skill source. Hard-coded credentials also make actions occur under an account the user did not intentionally supply, creating account abuse, data exposure, and supply-chain trust issues.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds default Feishu app credentials and a fixed root folder token, then uses them automatically if environment variables are not set. This allows the skill to write user-supplied content into a specific remote Feishu workspace under the author's control, creating an unauthorized data exfiltration and cross-tenant access risk far beyond simple local log formatting.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The implementation does more than the described 'write to a Feishu document' behavior by creating a year/month/day folder hierarchy in Feishu Drive. This expands the scope of remote actions and resource creation, which can surprise users, clutter or modify remote storage, and mask broader persistence of uploaded content.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The README publishes what appear to be real Feishu App credentials and a root folder token directly in example code. Even if intended as examples, embedding realistic secrets in documentation encourages insecure copying and may expose live access to the Feishu tenant, enabling unauthorized document creation, modification, or data access. In the context of a skill that writes logs to Feishu, this is especially dangerous because the token appears tied to a write-capable root folder and the skill handles potentially sensitive work records.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and natural-language generic, so normal conversation about meetings or work logs could accidentally activate document creation and permission changes. In a skill with external write actions and cloud-side permission management, ambiguous invocation increases the chance of unintended data transmission and modification.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill states it will grant users full_access collaborator permissions, but does not clearly explain that this allows broad modification, deletion, sharing, and further permission management. Because the content may include sensitive meeting notes or project records, insufficient warning makes the remote sharing behavior more dangerous in context.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill emphasizes use of tenant_access_token with broad app-level permissions and no user authorization, but does not adequately warn that this token can operate across cloud files within the app's granted scope. In context, a logging skill should be narrowly scoped, so silent use of a powerful tenant token materially raises risk of overreach and misuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persists credentials to ~/.openclaw/workspace/.env after an interactive prompt, but the warning is generic and does not clearly explain the security consequences of writing secrets to disk. Users may unknowingly store app secrets in a location accessible to other local processes or future skills, creating unnecessary credential exposure.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script prints DEFAULT_OWNER_ID directly to stdout, which can expose an internal user or account identifier in terminals, logs, CI output, or screenshots. While not a secret like an app secret, it is still sensitive metadata that can aid enumeration or leak personal/internal identifiers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The direct write path uploads user-provided log content to Feishu and creates remote folders/documents without an explicit, user-facing disclosure at the moment of action. In a logging skill, users may paste sensitive meeting notes, incident details, or internal project data, so silent remote persistence increases the risk of unintended data disclosure and retention.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded Feishu app credentials in source code are a real secret-management vulnerability. Anyone with access to the code can extract the app ID and secret, obtain tenant access tokens, and perform API actions within the app's granted permissions, potentially leading to unauthorized document creation, folder enumeration, or broader tenant abuse.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script performs remote state-changing actions in Feishu—creating folders and documents—without explicit user confirmation at execution time. In an agent-skill context, this can surprise users, cause unwanted data creation in enterprise storage, and be abused for spammy or disruptive writes if invoked unintentionally or with misleading prompts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Accessing environment variables and a local config file for Feishu secrets without a user-facing warning or consent means the skill can consume sensitive credentials implicitly. In agent environments, this is dangerous because users may believe they are only providing log text, while the skill is also reaching into local secret stores.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill automatically lists folders and creates folders/documents over the network without an explicit confirmation step. Although this is aligned with the skill's purpose, it still performs external state-changing actions that can create unwanted documents, clutter shared workspaces, or write sensitive logs to the wrong location if invoked unintentionally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits raw user-provided log content to Feishu's API without an explicit privacy notice, confirmation, or content-sensitivity check. Because work logs often contain confidential project, meeting, or incident details, silent network transmission can expose sensitive information to third-party infrastructure or an unexpected workspace.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The document declares the skill fully compliant and ready for use while also endorsing fallback default values for sensitive credentials. Hardcoded or fallback secrets are unsafe because they can be accidentally committed, reused across environments, or expose development credentials that later gain broader access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal