feishu-doc-extended

Security checks across malware telemetry and agentic risk

Overview

This skill appears aimed at Feishu image download and OCR, but it asks users to persistently patch a built-in Feishu plugin and includes broader document-management schema than the public description explains.

Install only if you are comfortable manually modifying OpenClaw’s built-in Feishu plugin. Back up the original files first, review that only the get_image code is being added, keep Feishu app permissions minimal, and treat returned image URLs, browser screenshots, and OCR output as sensitive document data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The exported schema exposes a full document management surface—read, create, write, append, insert, update, delete, table manipulation, and file upload—while the published skill description claims only image download and OCR functionality. This capability mismatch is dangerous because agents, users, and reviewers may trust the narrower description and unknowingly authorize broad document modification or destruction actions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill exposes arbitrary write and destructive editing operations that are unrelated to the stated purpose of image download/OCR, creating an unnecessary and overly broad attack surface. In an agent setting, this can enable unauthorized content replacement, deletion, or tampering of Feishu documents if the tool is selected based on its misleadingly narrow description.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly instructs users to obtain Feishu document image URLs and run OCR on the extracted content, but it does not warn that document images may contain sensitive business or personal data, nor that temporary image URLs should be treated as secrets. In this skill context, the feature is specifically designed to extract and process document images, which makes omission of handling guidance more dangerous because it normalizes potentially unsafe data exfiltration and retention practices.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill handles Feishu document image access by obtaining temporary download URLs, but it provides no explicit warning that these URLs expose document-derived content and may be sensitive. In this context, the omission matters because users are instructed to open the URL in a browser and process screenshots for OCR, increasing the chance of unintended disclosure, logging, or mishandling of confidential document data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The `write` action replaces the entire document content, but the schema provides only a terse description and no warning that the operation is destructive. This increases the likelihood of accidental data loss by users or autonomous agents, especially given the skill's misleading image/OCR framing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The `delete_block` operation enables direct removal of document content without any visible warning, confirmation requirement, or indication of irreversibility. In an agent workflow, that creates a realistic risk of accidental or induced deletion of important material.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The table row deletion action removes structured data but does not visibly disclose that it is destructive or may shift surrounding table contents. This makes accidental data loss more likely, particularly when row indexes are agent-generated or derived from imperfect context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The table column deletion action can remove large amounts of structured information, yet the schema does not surface a clear warning that the operation is destructive. Because column indexes may be easy to misidentify, agents or users can inadvertently delete the wrong data set.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The remote `upload_image` and `upload_file` actions accept arbitrary URLs, enabling the skill to fetch external resources without clearly disclosing that network retrieval and third-party data transfer will occur. In agent environments, this can expose internal URLs, leak access patterns, or import untrusted content under a benign-seeming image/OCR description.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal