ClawHub

飞书快速集成配置

Security checks across malware telemetry and agentic risk

Overview

This skill is a Feishu integration setup guide with disclosed write-capable access, so users should scope credentials carefully but there is no evidence of hidden or malicious behavior.

Install only if you intend to let OpenClaw access Feishu. Use a dedicated Feishu app, grant the minimum required scopes, test write workflows on non-production documents or tables first, confirm target links before updates, restrict webhook subscriptions, and keep the App Secret out of logs, screenshots, and version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users to perform read/write operations against Feishu documents, wikis, and bitables, but does not warn that these actions can modify or overwrite live enterprise data. In an automation context, users may execute examples assuming they are harmless tests, increasing the risk of unintended data alteration, corruption, or disclosure in production workspaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells users to place an App Secret directly into a local configuration file without any guidance on secure storage, file permissions, secret rotation, or avoiding accidental exposure in logs, screenshots, or version control. Because the App Secret grants access to enterprise Feishu APIs, leakage could enable unauthorized access to documents, knowledge bases, or other tenant data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal