ClawHub

Swarm Control Feishu

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to create a Feishu-controlled agent swarm, but it grants broad host and cross-session control with weak scoping and unsafe privilege defaults.

Install only in an isolated test environment or on a dedicated host. Do not run it on a personal or production machine unless you first remove passwordless sudo, restrict elevated actions to named trusted admins, enable sandboxing, require command approval, limit filesystem and session access, bind services to localhost, disable insecure auth, and rotate the API token shown in the publishing guide if it was ever real.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (53)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs users to run shell scripts (`deploy.sh`, `start-voice-service.sh`, `check-status.sh`) but does not declare permissions or prominently warn that it will execute host-level commands. This creates a trust gap where users may install a skill believing it is declarative documentation while it actually drives privileged system actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented behavior goes well beyond ordinary Feishu agent setup by enabling unrestricted execution, passwordless sudo, broad filesystem access, session visibility, and an externally reachable voice service. In this context, the mismatch is highly dangerous because the skill is framed as convenient automation but effectively establishes remote administrative control and additional attack surface on the host.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document includes a bearer token in a publish example while also warning that sensitive information should be removed before release. Even if intended as a sample, publishing a realistic token string teaches unsafe handling and may expose a live credential if it was copied from a real environment. In the context of a skill that advertises full-permission control and publishing workflows, leaked credentials could enable unauthorized publication or account actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The shared config explicitly grants unrestricted command execution, filesystem access, browser control, subagent creation, and visibility into all sessions, which far exceeds the stated purpose of configuring a Feishu agent cluster. In this context, those permissions enable lateral movement across agents, unauthorized data access, and arbitrary host actions if the skill is invoked or abused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to inspect other agents' sessions after restart creates a standing surveillance and intervention capability unrelated to ordinary cluster configuration. That allows the agent to read potentially sensitive conversation history and act on behalf of other agents without user awareness or authorization.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file instructs the agent to execute local shell scripts for configuration sync and service management, giving the skill a path to host-level code execution beyond its declared purpose. If those scripts are modified, unsafe, or triggered unexpectedly, they can change configuration, start services, or perform arbitrary system actions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The template grants sweeping privileges including arbitrary command execution, unrestricted filesystem access, full browser control, and visibility into all agent sessions. For a skill described as Feishu agent cluster configuration, this is materially over-scoped and enables lateral movement, data access, and unauthorized actions well beyond setup needs.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file embeds active operational behavior for a voice transcription service, including health checks and audio upload workflows, instead of limiting itself to static cluster configuration. This expands the skill into runtime service interaction and data handling, increasing attack surface and creating unreviewed processing of user content.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Authorizing 'exec' to run any command without approval and 'fs' to read or write any file creates a direct path to host compromise, credential theft, destructive changes, and persistence. The described skill purpose does not justify unrestricted command and file access, so the instruction is an unsafe privilege escalation pattern.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template instructs agents to inspect all sessions after restart and proactively respond, effectively turning a configuration skill into a standing monitoring and intervention mechanism. This is dangerous because it normalizes cross-context surveillance and autonomous action on conversations unrelated to the agent's current task.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The '安全第一' statement is contradicted by earlier directives granting universal cross-session visibility and unrestricted control. This inconsistency can mislead reviewers or operators into believing safeguards exist when the actual instructions enable broad access and unsafe actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The tool configuration enables capabilities far beyond Feishu messaging orchestration: full exec access with prompts disabled, filesystem access outside the workspace, elevated actions, session visibility across all sessions, and agent-to-agent control. In the context of a chat-connected multi-agent cluster, this creates a broad remote-control surface where a message-channel compromise, prompt injection, or misrouting could lead to host-level actions unrelated to the advertised setup purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Sandboxing is disabled in the agent defaults, and the same setting is repeated for each listed agent, meaning all agents execute without isolation. Because these agents are reachable through Feishu and can spawn subagents, disabling the sandbox materially increases the chance that unsafe model outputs, malicious prompts, or compromised integrations can directly affect the host environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The gateway binds to the LAN and enables a control UI with allowInsecureAuth set to true, exposing administrative functionality over the network with weakened authentication controls. In a system that already manages multiple agents and host-control features, this significantly increases the likelihood of unauthorized access, lateral movement from the local network, and takeover of the agent cluster.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The configuration explicitly enables elevated actions and allows them from both webchat and Feishu for all senders via wildcard rules. This creates a direct path from externally influenced chat channels to privileged host operations, making prompt injection, account compromise, or message spoofing potentially equivalent to remote privileged command execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly advertises 'full permission control' including privilege escalation and passwordless sudo for a Feishu agent cluster, which is far beyond what is needed to configure bots or channel bindings. Exposing these capabilities in an externally reachable chat-controlled system creates a direct path to host compromise, arbitrary command execution as root, and abuse of all connected agents.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The configuration grants elevated execution to all users on both webchat and Feishu via wildcard allowlists, meaning any user who can reach the bot may trigger privileged actions. In the context of a multi-agent system with command execution enabled, this effectively turns chat access into administrative access on the host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented settings disable sandboxing, allow unrestricted command execution without confirmation, and permit filesystem access outside the workspace. For a Feishu cluster-management skill, these powers are unnecessary and dramatically increase the blast radius of prompt injection, bot misuse, or operator error.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Setting session visibility to 'all' allows agents or users to access unrelated conversations and data across sessions. In a multi-project bot deployment, this breaks tenant isolation and can leak sensitive prompts, credentials, or business data between users and projects.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script is presented as a status-check utility, but it also inspects and recommends system-wide passwordless sudo configuration. That creates a misleading trust boundary: operators may run a harmless-looking diagnostic script without realizing it normalizes or encourages full privilege escalation practices unrelated to simple status checking.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A status-check script should not include functionality or guidance that promotes global passwordless sudo access. The printed command grants the user unrestricted root execution via sudo without authentication, which drastically increases the blast radius of any compromise of that account, agent, or workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script writes `lehua ALL=(ALL) NOPASSWD: ALL` into `/etc/sudoers.d`, granting a hard-coded user unrestricted passwordless root access across the host. That capability is unrelated to Feishu agent deployment and creates a permanent privilege-escalation backdoor if the account exists or is later created.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises agent cluster setup, but the script silently modifies host privilege configuration to enable full passwordless sudo for a specific user. This mismatch is deceptive and materially increases risk because users would not reasonably expect a deployment helper to alter system-wide trust boundaries.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
Labeling the step as merely configuring system permissions obscures that it actually grants unrestricted passwordless sudo to `lehua`. This misleading description can trick operators into approving a far more dangerous change than indicated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to execute deployment and voice-service shell scripts directly, but provides no description of what those scripts do, what permissions they require, or what system changes they make. In the context of a skill advertising broad control features, this increases the risk that users will run privileged or environment-altering code without informed consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal