ClawHub

Message Tracker Plugin

Security checks across malware telemetry and agentic risk

Overview

The skill coherently describes sending tracked messages to a Feishu webhook, but users should treat the webhook, optional secret, and sent message content as sensitive.

Install or use this only if you intend tracked messages to be posted to a Feishu channel. Protect the webhook URL and signing secret, limit the destination to an appropriate channel, avoid sending sensitive content unless necessary, and verify any external Node package before running it.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone or anything with the webhook may be able to post messages to the configured Feishu destination.

Why it was flagged

The skill expects a Feishu webhook URL and optional signing secret, which act as credentials or delegated authority to post into a Feishu channel.

Skill content
webhook: '飞书Webhook地址',
  secret: '签名密钥'
Recommendation

Use a channel-scoped webhook, keep the signing secret private, and rotate the webhook if it is exposed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Tracked message contents may become visible to people or systems with access to the configured Feishu channel.

Why it was flagged

The skill’s core behavior is sending tracked message content to Feishu, an external messaging channel.

Skill content
将追踪消息推送到飞书
Recommendation

Only send content appropriate for that Feishu channel, and avoid including secrets, private user data, or sensitive business information unless the channel is trusted.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The reviewed artifacts do not show malicious behavior, but they also do not allow verification of any separate Node package or implementation a user might install.

Why it was flagged

The supplied artifact set does not include runnable code or a verifiable source for the referenced plugin implementation.

Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. No code files present
Recommendation

If you obtain code or an npm package for this plugin, review its source and dependency provenance before running it.