ClawHub

Feishu File Sender

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised Feishu file-staging task, but its setup can persistently grant broad or whole-system file access that the task does not need.

Install only if you are comfortable reviewing and manually controlling the OpenClaw permission changes. Prefer a narrow config limited to the exact temporary media directory you intend to use, avoid the medium and loose presets, especially /**, and clean staged files after sending sensitive documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation instructs users to run a permission-configuration script that broadens OpenClaw filesystem access beyond temporary-file preparation. This weakens sandboxing and creates an avenue for unintended access to user data if the skill, a dependent plugin, or a compromised component misuses the expanded allowlist.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest and headline describe a narrow temp-directory workaround, but the body documents configuration changes to OpenClaw permissions. This mismatch is risky because users may approve or install the skill under a false impression of limited behavior, undermining informed consent and security review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generated permission profiles grant access to broad user and system locations such as entire home directories, /home, /var, /srv, drive roots, and temp paths, which is far beyond a skill described as a temporary-directory workaround for sending Feishu files. This unnecessarily expands the blast radius for file read/write abuse and increases the chance of unintended disclosure or modification of unrelated files.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The '宽松' option returns '/**', effectively granting whole-filesystem access. For a skill whose stated purpose is sending files through a temp-directory workaround, this is a severe overprivilege condition that could enable arbitrary file access across the system if the skill is misused or compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script writes directly to the global OpenClaw configuration and adds permissions for the skill without interactive confirmation at the point of change. Because it modifies a persistent security boundary for the environment, this broadens access beyond the narrow feature described and can silently leave the skill with long-lived excessive filesystem privileges.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The module exposes listTempFiles() and cleanTempDir(), which provide file enumeration and bulk deletion capabilities beyond the narrowly stated purpose of copying a file for Feishu upload. In a skill context, extra filesystem management primitives increase abuse potential because another component could use them to inspect filenames/metadata or delete unrelated files if the chosen temp directory is overly broad or misconfigured.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill presents broad permission presets, including access to home and system directories and even '/**', without prominently warning about the security implications. Users may choose overly broad access for convenience, materially increasing exposure of credentials, personal files, and system data.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The workflow copies user files into a temporary directory and only briefly notes cleanup after sending, without clearly warning that copied files may remain if cleanup is skipped or fails. This can expose sensitive documents or images to other local processes or later accidental disclosure from residual temp files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script overwrites the OpenClaw configuration file directly with no confirmation, diff preview, or warning immediately before the write. In the context of a permission-management tool, silent overwrite increases the risk of accidental or socially engineered privilege expansion and can also destroy prior secure settings.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
deleteTempFile() performs deletion on an arbitrary supplied path with only an existence check, and there is no validation that the path belongs to this module's temp directory. If a caller passes attacker-controlled input, this becomes a generic file deletion primitive that could remove accessible files outside the intended workspace.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "寇助理",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0"
  }
}
Confidence
83% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.6.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal