Custom Gift Leewow

Security checks across malware telemetry and agentic risk

Overview

This gift-customization skill is mostly coherent, but it needs review because it can send Feishu messages with app credentials, continue sending in a background process, upload user images, and generate broad COS access links.

Install only if you trust this publisher with a Leewow secret key, Feishu app credentials, and user-provided images. Use a least-privilege Feishu app and target chat, avoid sensitive personal photos, keep LEEWOW_API_BASE on the official Leewow domain, and review whether you want the generic COS presign tool and deferred Feishu sending enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Tainted flow: 'url' from os.getenv (line 25, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: return _sts_cache url = LEEWOW_API_BASE + STS_ENDPOINT resp = requests.get(url, timeout=15) resp.raise_for_status() data = resp.json() if not data.get("tmpSecretId"):
Confidence: 89% confidence
Finding: resp = requests.get(url, timeout=15)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script automatically loads all variables from ~/.openclaw/.env before performing a simple browse function, causing the tool to ingest potentially unrelated secrets from a broad local secrets file. That expands the skill's trust boundary unnecessarily and can expose sensitive credentials to later code paths, child processes, logs, or third-party libraries if the process is compromised or misused.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The tool silently spawns a detached background subprocess to continue sending messages after the main action returns. In an agent-skill context, deferred autonomous network activity is risky because it reduces user visibility and control, and can continue operating with credentials after the initiating request has completed.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This script creates presigned URLs that grant temporary access to objects in private COS buckets, and it accepts arbitrary COS URLs without checking that the object belongs to an approved bucket, prefix, or workflow. In the context of a gift-browsing/mockup skill, this is broader-than-necessary access-enablement functionality that could expose private images or other stored assets if the tool is invoked on attacker-chosen URLs.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The batch signing helper turns the module into a generic private-object access service rather than a narrowly scoped helper for a documented product feature. That capability expansion increases abuse potential because a caller can mass-generate temporary access links for multiple private objects, amplifying data exposure if the surrounding system lacks strict authorization.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill is presented as a custom-gift browsing and mockup workflow, but it exposes a generic COS presigned-URL utility that is not tightly scoped to that purpose. This expands the skill's capability surface and can be abused to mint temporary access links for arbitrary COS objects if the backend credentials permit it, creating a data access primitive unrelated to the user-facing task.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger guidance includes broad, everyday phrases such as gift-related browsing and customization requests, increasing the chance the skill is invoked in contexts where the user did not intend external tool execution or direct Feishu sending. In this skill, over-invocation is more dangerous than usual because invocation can cause network activity, file handling, and outbound messaging to Feishu with a `NO_REPLY` pattern that reduces user-visible confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code places Feishu app credentials into the child process environment for deferred sending, which broadens credential exposure beyond the original process without clear disclosure. Environment variables are commonly inherited, inspectable by same-user processes in some environments, and may be captured in debugging, crash, or process-inspection workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script uploads a user-supplied local image to a remote COS bucket and then submits its URL to an external generation API, but it provides no explicit disclosure, consent prompt, or data-handling warning at the point of transfer. In this skill context, users may provide personal photos for gift customization, so silent transmission of potentially sensitive images to third-party services creates a real privacy and compliance risk even though the upload is functionally required.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal