ClawHub

feishu-robot-interact

Security checks across malware telemetry and agentic risk

Overview

This Feishu robot coordination skill is mostly purpose-aligned, but its sender checks and approval-memory logic are weak enough that chat-triggered tasks could run outside the intended developer control.

Review before installing. Use only in trusted Feishu groups and low-risk workflows unless you add sender allowlisting, verify developer approvals against FEISHU_DEVELOPER_ID, fix the confirmation/rejection memory logic, restrict MEMORY_PATH to a protected app-owned location, and avoid storing raw sensitive task text where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Tainted flow: 'path' from os.getenv (line 29, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""保存开发者偏好记忆"""
    path = MEMORY_FILE.expanduser()
    path.parent.mkdir(parents=True, exist_ok=True)
    with open(path, "w", encoding="utf-8") as f:
        json.dump(data, f, ensure_ascii=False, indent=2)

def get_task记忆(task_type):
Confidence
86% confidence
Finding
with open(path, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill describes capabilities that imply environment access and local file reads/writes, but it declares no corresponding permissions. This creates a transparency and policy-enforcement gap: operators may approve or deploy the skill without understanding that it can persist data locally or access sensitive runtime context. In an agent skill that reacts to chat messages, undeclared capabilities make misuse and unintended data handling more dangerous.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The described behavior does not match the actual implied behavior: it may process any message that @mentions the bot rather than only messages from trusted robots, and it uses local persistence not clearly disclosed in the description. This is dangerous because attackers in the same chat could impersonate the expected workflow, trigger task execution paths, and influence remembered trust decisions or stored data under false assumptions about sender identity and storage behavior.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The confirmation prompt says '确认+不再询问' should remember a preference to stop asking, but the code stores ask_again=True for that path. This inversion can break the trust/approval model: operators may believe future similar tasks are pre-approved or consistently governed, while the system applies a contradictory policy, undermining safe human oversight in a robot-to-robot workflow.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code comments indicate human-originated messages should not be processed, but the sender check is commented out, so any user in the chat can trigger the robot if they @mention it. In this skill context, which is intended for inter-bot coordination, that broadens the trust boundary and allows unauthorized humans to inject tasks into an automated workflow.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly stores raw task content and approval decisions in a local memory file, which can expose potentially sensitive business requests, workflow details, and user intent if the file is read by other local users, backups, or logs. In this skill's context, robot-to-robot tasks may include operational or data-access requests, so persisting them verbatim without retention, minimization, or access-control guidance creates a real privacy and security risk.

Ssd 3

Medium
Confidence
88% confidence
Finding
The instructions explicitly recommend logging all interactions and persisting developer task preferences, which may include raw task text and other sensitive content in plain language. If those logs or memory files are stored insecurely, they can expose confidential prompts, operational details, identifiers, or approval history to other local users, tools, or compromised processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal