ClawHub

Feishu Notes

Security checks across malware telemetry and agentic risk

Overview

This Feishu document skill is mostly purpose-aligned, but it asks for broad cloud-drive access while its promised folder limits are not enforced and it can fetch arbitrary image URLs.

Install only if you are comfortable granting this skill broad Feishu cloud-drive read/write access and storing OAuth credentials locally. Use it only with document IDs and image URLs you trust, and treat the documented folder limit as advisory unless the implementation is updated to enforce it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security section promises operations are confined to a designated folder, but the documented commands accept arbitrary document IDs and include unrestricted listing of recent documents. This creates a misleading trust boundary: a user may believe the skill is sandboxed to one folder when it can access or modify documents outside that scope if given IDs or if listing exposes them.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description does not disclose that it can fetch arbitrary external URLs and re-upload the retrieved bytes into Feishu documents. This hidden capability increases risk because a caller may unknowingly trigger outbound requests to attacker-controlled or internal endpoints, creating SSRF-like exposure and unreviewed data transfer.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill advertises simple text append behavior, but the implementation performs broader document mutations including styled text, headings, tables, and patch/delete operations. This mismatch undermines informed consent and can surprise users or orchestrators that rely on the manifest to understand write scope.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example prompts are broad everyday-language requests that can trigger document creation, modification, reading, or image insertion without clearly signaling that an external cloud service will be accessed. In agent settings, overly generic triggers increase the risk of accidental invocation and unintended data transfer into Feishu.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description does not prominently warn that using the skill can create and modify documents in the user's Feishu cloud drive and interact with stored OAuth credentials. Missing this warning weakens informed consent and can lead to unintended cloud writes or exposure of sensitive work content to a third-party platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The image feature silently downloads data from arbitrary remote URLs and then uploads that data into Feishu, without any warning or opt-in. This can expose the runtime environment to SSRF-style probing, leak network access patterns to attacker-controlled hosts, and transfer unexpected content to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal