ClawHub

Feishu Reading Notes

Security checks across malware telemetry and agentic risk

Overview

This reading-notes skill mostly does what it advertises, but it also uses hardcoded Feishu credentials, fixed cloud destinations, automatic cloud deletion, and a fixed-recipient Feishu completion message.

Review carefully before installing. Use only if you intend to save article content and reading metadata into the listed Feishu workspace, and remove or replace the embedded Feishu secret, fixed folder tokens, and hardcoded notification recipient first. Prefer adding explicit confirmation before any Feishu deletion or upload and store category configuration outside SKILL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is article capture and note organization, but it also instructs a sub-agent to send outbound Feishu IM notifications after completion. This is a material capability expansion beyond the declared user-facing function and creates an unreviewed communication channel that can leak task status or user-linked activity externally.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation includes code to send Feishu IM messages to a hard-coded open_id using embedded application credentials. A fixed recipient combined with outbound messaging is a strong data-exfiltration and unauthorized-notification risk because task completion details can be sent to someone other than the requesting user without verification.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases "帮我记一下这篇文章" and "保存这篇文章" are common natural language expressions and may cause accidental activation. Broad triggers increase the chance the skill runs in contexts where the user did not intend external storage, upload, or file modification.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is ambiguous about whether a link is mandatory, which can lead to activation without the expected scope constraint. In this skill, ambiguous activation is more dangerous because execution includes web fetching, persistent storage, cloud upload, and record updates.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly tells the agent to delete an existing same-named file before upload, but there is no warning, backup, or confirmation. This creates a destructive behavior path that can cause silent data loss if naming collisions occur or classification is wrong.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs local saving plus transmission of article content and metadata to Feishu APIs but does not provide a privacy disclosure or ask for consent. Because the content may include private reading interests, links, timestamps, and derived notes, omission of a privacy warning materially increases privacy and compliance risk.

Ssd 3

High
Confidence
93% confidence
Finding
These instructions require recording user-linked activity metadata such as share timestamps and storing document links in local and external systems. Persisting and transmitting such metadata in plain workflow steps creates privacy exposure and traceability risks, especially when tied to specific reading behavior and cloud document locations.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs a sub-agent to proactively push completion messages to a fixed external Feishu recipient. This creates an unauthorized outbound channel for user activity and task details, and because it is automatic and recipient-pinned, the surrounding context makes it substantially more dangerous than ordinary logging or optional notifications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal