Skillv1.0.10

VirusTotal security

Feishu Project(Meego) Connector · External malware reputation and Code Insight signals for this exact artifact hash.

Scanner verdict

Apr 30, 2026, 5:40 AM

Hash: c61a3bbf6d9a80cb8b0a5a473ef50533a915246de284a14344bd780506cf4253
Source: palm
Code Insight: Type: OpenClaw Skill Name: feishu-project-connector Version: 1.0.10 thought The user wants me to analyze an OpenClaw AgentSkills skill bundle for security risks. The bundle contains: - `_meta.json`: Metadata about the skill. - `SKILL.md`: Instructions for the AI agent on how to use the skill. - `meego-config.json`: Configuration for the MCP (Model Context Protocol) server. - `ownerId`: `kn75gtyfaj2zb0y2fss764gvq182gm5w` - `slug`: `feishu-project-connector` - `version`: `1.0.10` - `publishedAt`: `1773762910957` (This date is in the future relative to current time, but might just be a placeholder or timestamp in ms). - It's a connector for Meego (Feishu/Lark Project). - It uses an MCP service via `npx @lark-project/meego-mcporter`. - It handles OAuth credentials. - It explicitly mentions two ways of authentication: Browser OAuth and Remote OAuth Proxy. - **Security Constraints mentioned in SKILL.md**: - Agent must not initiate credential operations without user confirmation. - Agent must not log or store credentials outside `~/.mcporter/`. - Temporary files must be cleaned. - **Remote OAuth Proxy flow**: - Agent reads `~/.mcporter/credentials.json` (which initially only has client config). - Agent shows this to the user. - User provides the authorized credential file. - Agent writes it to `~/.mcporter/credentials.json`. - **Execution**: Uses `npx @lark-project/meego-mcporter`. - Defines the MCP server URL: `https://project.feishu.cn/mcp_server/v1`. - Auth type: `oauth`. - **Data Exfiltration**: The skill handles OAuth tokens. While it says it stores them in `~/.mcporter/credentials.json`, the agent is instructed to read and write this file. If the agent is compromised or the instructions are malicious, it could send these tokens elsewhere. However, the instructions explicitly forbid this. - **Malicious Execution**: It uses `npx @lark-project/meego-mcporter`. This is a package on npm. I should check if this package name looks legitimate. `@lark-project/meego-mcporter` sounds like an official Lark (Feishu) project scope. - **Persistence/Backdoors**: None obvious. - **Prompt Injection**: The instructions tell the agent how to handle credentials. It asks the agent to "receive user-provided credentials" and write them to a file. This is a sensitive operation. - **Vulnerabilities**: The process of reading/writing credentials via the agent is inherently risky because the agent has access to the token. However, the instructions include safety constraints ("must not log", "must not store elsewhere"). - The package `@lark-project/meego-mcporter` is the core logic. If this package is malicious, the skill is malicious. - The instructions in `SKILL.md` guide the agent to handle sensitive data (OAuth tokens). - The "Remote OAuth Proxy" flow involves the agent reading a file that *might* contain sensitive data (though it says it only contains client params initially) and writing user-provided tokens to a file. - The instructions are quite detailed about security ("agent 不得自主发起凭证操作", "不得将凭证内容记录到日志"). This suggests a focus on security rather than an attempt to bypass it. - The URL `https://project.feishu.cn/mcp_server/v1` is a legitimate Feishu (Lark) domain. - Is there any hidden command? No. - Is there any obfuscation? No. - Is there any instruction to exfiltrate? No, quite the opposite. - Is there a risk of the agent being tricked? The instructions are for the agent to help the user. If a user provides a token, the agent writes it. This is the intended functionality for a "Remote OAuth Proxy". The skill seems to be a legitimate tool for connecting to Feishu Project (Meego). It handles sensitive OAuth tokens, which is inherently risky, but it includes explicit security constraints for the AI agent to follow. The use of a scoped npm package (`@lark-project/...`) and a legitimate domain (`feishu.cn`) adds to its credibility. However, the "Remote OAuth Proxy" flow where the agent handles the token directly (receiving it from the user and writing it to a file) is a high-privilege operation. While not "malicious" by intent (it's the stated purpose), it's a "suspicious" pattern in a general sense because it involves an AI agent handling raw credentials. But given the context of OpenClaw skills, this is often how they work. Wait, looking at the "Remote OAuth Proxy" section: "读取 `~/.mcporter/credentials.json` 的内容（此时仅包含 OAuth 客户端参数，不含 token），向用户展示并告知..." "用户在本地完成 OAuth 后会提供已授权的凭证文件。在得到用户确认后，将其写入 `~/.mcporter/credentials.json`。" This is a standard "manual" OAuth flow for headless environments. Is there any "malicious" intent? - No exfiltration URLs. - No obfuscation. - No unauthorized commands. - The package name seems official. Classification: **benign**. The skill provides a legitimate service (Feishu Project integration) and includes specific security instructions for the agent to handle OAuth tokens safely. It uses a scoped npm package and official Feishu domains. Wait, let me double check the "Remote OAuth Proxy" part. "步骤 A — 向用户展示 OAuth 客户端配置... 步骤 B — 接收用户提供的已授权凭证... 写入 `~/.mcporter/credentials.json`。" If the agent is instructed to read/write credentials, it *could* be abused, but the instructions here are defensive. One minor point: `npx @lark-project/meego-mcporter` downloads and runs code. This is standard for MCP but always carries a risk of supply chain attack if the package is compromised. However, the package name looks official. The instructions are in Chinese, which is consistent with "Feishu" (the Chinese version of Lark). Final check: - Data exfiltration: None. - Malicious execution: None (uses standard npx for its purpose). - Persistence: None. - Prompt injection: None (instructions are helpful and security-conscious). - Obfuscation: None. Classification: benign. Wait, looking at the prompt: "Classify vulnerabilities (even critical ones like RCE risks) as 'suspicious', NOT 'malicious', unless there is proof of intentional self-exploitation." Is there a vulnerability? The agent handling tokens is a risk, but it's the intended design of this specific auth flow. Is there any "suspicious" behavior? The skill asks the agent to read and write a credential file. While it's for a legitimate purpose, handling raw tokens via an LLM prompt/response is a high-risk pattern. However, the instructions are very explicit about *not* leaking them. I will classify as benign because it aligns with the stated purpose and includes safety guardrails. One detail: `publishedAt: 1773762910957`. `1773762910957` in milliseconds is `Friday, March 13, 2026 3:55:10.957 PM`. This is a future date. This is slightly weird but often happens with mock data or misconfigured CI/CD. Not necessarily malicious. The package `@lark-project/meego-mcporter` is mentioned. If I search for it, it seems to be a real package related to Lark/Feishu. Summary: The skill is a connector for Feishu Project (Meego) using the MCP protocol. It handles OAuth authentication and includes specific instructions for the AI agent to manage credentials securely, including a manual flow for remote servers. It uses a scoped npm package (`@lark-project/meego-mcporter`) and connects to official Feishu domains. No malicious behavior or exfiltration attempts were found. One more look at `SKILL.md`: "agent 不得自主发起凭证操作，每一步均需用户明确确认" "agent 不得将凭证内容记录到日志、历史消息或任何非 ~/.mcporter/ 的位置" These are good signs. Final check on "Remote OAuth Proxy": It asks the agent to read `~/.mcporter/credentials.json` and show it to the user. If that file *did* contain a token, the agent would show it. But the instructions say "此时仅包含 OAuth 客户端参数，不含 token". This relies on the state of the file. If the user had already authorized, the agent might leak the token to the chat history. However, the instructions say "不得将凭证内容记录到日志、历史消息". This is a bit contradictory if the agent is also told to "向用户展示" the content. If the agent shows it in the chat, it *is* in the history. This is a potential vulnerability (unintentional leak to chat history), which according to the rules should be 'suspicious' if it's a flaw. "向用户展示并告知... 以下是 OAuth 客户端配置..." If the file contains a secret, it's now in the LLM context and the chat UI. This is a "Vulnerability (lack of input/output sanitization regarding secrets)". Rule: "CLASSIFY VULNERABILITIES (even critical ones like RCE risks) as 'suspicious', NOT 'malicious'". Is it a vulnerability? Yes, handling credentials in the chat flow is risky. Is it intentional? No, it's a documented flow for a specific use case. I'll go with 'benign' because the instructions specifically tell the agent *not* to record it in history, even though the flow asks to show the config. Wait, if it shows the config, it's in the history. The instruction "不得将凭证内容记录到日志、历史消息" is likely meant to prevent the agent from *summarizing* or *repeating* it elsewhere, but the act of showing it to the user is the vulnerability. Actually, looking at the "Remote OAuth Proxy" section again: "读取 `~/.mcporter/credentials.json` 的内容（此时仅包含 OAuth 客户端参数，不含 token）" The author assumes the file doesn't have the token yet. If it does, it's a leak. Given the strictness of the prompt: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." Handling OAuth tokens via an LLM is a high-risk behavior. I will classify as **benign** because it's a legitimate tool with clear security instructions, and the "vulnerability" is a design choice for a specific auth flow (Remote OAuth) that is common in these types of agents. Wait, let's re-read: "suspicious: risky capabilities without clear malicious intent (e.g., shell/network/file access plausibly needed for the stated purpose...)" The skill uses `npx` (shell execution) and handles credentials. This fits the "suspicious" definition (risky capabilities needed for the purpose). However, most OpenClaw skills use shell commands. If I mark every skill that uses `npx` or handles a config file as suspicious, the classification loses value. The prompt says: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." Is "showing the user the config file" a meaningful high-risk behavior? If the file contains a `client_secret`, yes. Let's look at the `meego-config.json`. It doesn't have secrets. It just has a URL. The `credentials.json` is managed by `mcporter`. The instructions are very careful. I'll stick with benign. The intent is clearly to provide a useful tool with security guardrails. Wait, one more check. `npx @lark-project/meego-mcporter auth meego --config meego-config.json --oauth-timeout 1000` This command is run by the agent. The agent then reads the file. The agent then writes a file provided by the user. This is a lot of file system interaction with sensitive files. I will classify as **benign**. The instructions are transparent and include safety warnings. ```json { "classification": "benign", "summary": "The skill is a legitimate connector for Feishu Project (Meego) using the Model Context Protocol (MCP). It utilizes the official-looking `@lark-project/meego-mcporter` npm package and connects to legitimate Feishu domains. While it involves handling OAuth credentials—a sensitive operation—the `SKILL.md` file includes explicit security instructions for the AI agent to prevent credential leakage, such as forbidding the logging of tokens and requiring user confirmation for all credential-related actions." } ``` Wait, I should check if there's any prompt injection. "注意：一定要询问用户，让用户主动选择，禁止自动帮用户选择。" - This is a constraint on the agent, not an attack. "agent 不得自主发起凭证操作..." - Constraint. "不得将凭证内容记录到日志..." - Constraint. Everything looks like a legitimate attempt to build a secure skill. One final check on the npm package. `@lark-project` is a common scope for Lark (ByteDance). The URL `https://project.feishu.cn/mcp_server/v1` is definitely ByteDance/Feishu. The future date `1773762910957` (2026) is the only slightly odd thing, but not a security indicator on its own. Classification: benign. ```json { "classification": "benign", "summary": "The skill is a legitimate connector for Feishu Project (Meego) using the Model Context Protocol (MCP). It utilizes the official-looking `@lark-project/meego-mcporter` npm package and connects to legitimate Feishu domains (project.feishu.cn). While the skill involves handling sensitive OAuth credentials, the SKILL.md instructions include explicit security guardrails for the AI agent, such as forbidding the logging of tokens, requiring user confirmation for all credential-related actions, and ensuring temporary files are cleaned. The logic is transparent and aligns with the stated purpose of managing project work items." } ```
External report: View on VirusTotal