ClawHub

Feishu Workspace

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Feishu workflow skill whose read and write capabilities are disclosed and aligned with its purpose, but users should review edits to shared workspace content.

Install this only for agents you trust to work with Feishu. Use least-privilege Feishu scopes, specify exact docs, wiki spaces, and Bitables, and review important writes or updates before they affect shared team content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly promotes write, append, create, and update operations against Feishu Docs and Bitable, but it does not warn that these actions can modify shared team data or require user confirmation before making changes. In an agent setting, this increases the risk of unintended or over-broad writes to organizational documents, trackers, or knowledge assets, especially when users phrase requests ambiguously or when the agent operates with broad workspace permissions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly supports creating and updating Feishu docs and Bitable records but does not warn that these actions can modify external state. In an agent setting, this increases the risk of unintended writes, overwrites, or bulk changes being performed without clear user confirmation, especially when a request is ambiguous or references a provided URL/token.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example prompts explicitly instruct the agent to write, append, and add records to Feishu Docs and Bitable, which can cause real external state changes. Because the examples provide no warning, confirmation step, or scope limitation, users may trigger unintended edits or data creation in shared workspace resources, especially in collaborative environments.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal