ClawHub

Pywayne Lark Bot Listener

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Lark/Feishu message listener whose chat access and temporary attachment downloads fit its stated purpose.

Install only where the bot is intended to receive the relevant Lark/Feishu conversations. Limit the bot’s chat membership and app permissions, avoid routing highly sensitive channels unless approved, treat incoming text and attachments as untrusted, and ensure temporary file cleanup, size limits, and malware scanning match your environment’s risk level.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents that image and file handlers automatically download incoming content to a local temporary directory, but it does not present this as a clear user-facing warning. That can lead operators to enable the skill without understanding that untrusted remote content will be written to disk, increasing privacy, malware-handling, and storage-risk exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill maintains a persistent WebSocket connection and processes message content plus metadata such as chat IDs, user IDs, group names, and message bodies, but the description does not provide an explicit privacy warning. Users may deploy it without realizing that potentially sensitive communications are continuously transmitted and handled by the listener, which raises confidentiality and compliance concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal