ClawHub

知识获取

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a knowledge-capture workflow, but it can automatically upload extracted notes to Feishu and make them open to anyone with the link when credentials are configured.

Install only if you are comfortable with extracted content, metadata, generated notes, and Feishu file tokens being sent to your Feishu tenant and potentially made accessible to anyone with the link. Use least-privilege Feishu credentials, keep secrets out of files and logs, set FEISHU_DISABLED=true for local-only use, and avoid sending private, regulated, or proprietary content unless the sharing permissions have been reviewed or changed to private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions, yet the analyzed behavior indicates access to environment data and network capabilities. This is dangerous because users and platform policy may rely on declared permissions for trust and consent, while undeclared capabilities can enable secret data access or remote exfiltration if the implementation is abused or compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is limited to parsing user-provided content and generating notes, but the detected behavior expands into local file storage, broader content fetching/search, public-sharing configuration in Feishu, and outbound notifications. This mismatch is dangerous because it hides materially different data flows and side effects from users, increasing the risk of unauthorized collection, persistence, and disclosure of potentially sensitive content.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The expert-tier configuration exposes dormant but security-relevant capabilities such as API endpoints, plugin extension, AI-powered analysis, and real-time monitoring that materially exceed the stated knowledge-acquisition purpose. Even though gated by environment variables, these switches enlarge the attack surface and can enable unauthorized code paths or integrations if enabled in deployment without corresponding review, documentation, or controls.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
API endpoint and plugin extension support are powerful generic execution/integration mechanisms unrelated to simple content parsing and note generation. In a knowledge-acquisition skill, such features create a path for unintended external exposure, unsafe extensibility, or arbitrary third-party logic loading, making the context more dangerous because users would not reasonably expect these capabilities.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The upload flow explicitly changes Feishu file permissions to public by setting external_access_entity to open and comment/view access broadly, which exposes generated notes to anyone with the link. Because the skill processes extracted third-party and potentially sensitive user-curated content, public sharing materially increases confidentiality and data-leakage risk beyond ordinary cloud backup.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The main workflow always invokes saveToFeishuCloud after note generation, despite the skill description saying Feishu archiving is optional. This creates an implicit data export path that users may not expect, causing unwanted transmission of extracted content and increasing the blast radius when combined with the public-permission behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill sends outbound Feishu IM messages containing the archived document URL and token to a recipient from context, which exceeds the stated purpose of content parsing and optional cloud-drive archiving. This creates an additional data-disclosure channel and can expose sensitive links or identifiers to unintended recipients if context is spoofed, stale, or user expectations are unclear.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code uploads generated notes to Feishu and explicitly sets `external_access_entity: "open"`, making files accessible to anyone with the link. Because the notes contain extracted third-party content and metadata, this expands access far beyond simple archival and can leak private, proprietary, or copyrighted material without clear user consent or warning.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The plugin accesses a personalized follow-feed using the user's Bilibili session credential (SESSDATA), which goes beyond simple public video extraction and enables collection of account-specific activity. In an agent skill context, this broadens data access scope and can expose private or sensitive viewing/subscription relationships without clear consent boundaries.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The returned object includes absolute or local filesystem paths for downloaded content in both the images array and metadata. Exposing internal paths can leak host filesystem structure to upstream consumers, which may aid environment fingerprinting or reveal sensitive deployment details unnecessarily.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The plugin’s declared purpose is note/content extraction, but it also implements feed discovery and authenticated retrieval of a user's following feed. This expands the data-access surface from user-supplied public content to account-scoped and broader scraping functionality, creating a real scope-creep risk that can enable unnecessary collection of personal or behavioral data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code accepts raw login cookies and uses them to access a user's following feed, which is materially more sensitive than public note extraction. In an agent-skill context, handling authentication material without strict boundaries can expose account data, facilitate unauthorized scraping, and create credential leakage risk if cookies are logged, reused, or mishandled elsewhere in the system.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document instructs users to configure Feishu credentials and cloud-upload settings without any guidance on secret handling, least-privilege scoping, or the fact that processed content will be transmitted to an external cloud service. In a knowledge-acquisition skill that ingests potentially sensitive third-party content, this increases the risk of credential leakage and unintended data exfiltration through misconfiguration or unsafe operational practices.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that extracted external content can be archived to Feishu cloud storage, but it does not clearly warn that third-party content, links, author metadata, timestamps, and possibly media-derived information may be transmitted to an external service. In a knowledge-ingestion skill that processes arbitrary URLs and messages, this omission increases the risk of unintentional data exfiltration, copyright/privacy violations, and unsafe handling of sensitive source material.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to configure Feishu app credentials and optional tokens, but does not clearly label them as secrets or warn against committing, logging, sharing, or storing them insecurely. Because these credentials grant access to cloud storage and APIs, mishandling them can enable unauthorized uploads, data access, or abuse of the connected Feishu tenant.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation rule 'directly send links/text' is so broad that ordinary conversation or incidental pasted content could trigger the skill unintentionally. In a skill that performs network retrieval, classification, note generation, and optional cloud archival, accidental activation can cause unexpected processing or transmission of user data.

Missing User Warnings

High
Confidence
95% confidence
Finding
The workflow explicitly states that processed notes are saved to a Feishu drive with 'publicly accessible' and 'anyone can comment' permissions, but it does not present this as a privacy-sensitive action or require informed user consent. Because the skill handles extracted content from external links, this can expose private, copyrighted, or sensitive material to unintended audiences and create a direct confidentiality risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow describes extracting content from third-party platforms and performing AI-assisted classification/analysis, but does not clearly disclose that content may be transmitted to external services or plugins for processing. This matters because users may reasonably assume links are only locally parsed, while the actual flow could send article contents, metadata, or derived notes to outside systems, creating privacy and compliance concerns.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document advertises automatic processing of inbound content from platforms like WeChat and optional Feishu cloud sync without presenting clear user-facing notice, consent, or data-handling boundaries. In a workflow that ingests messages, extracts content, performs OCR/transcription, and may upload derived notes, missing transparency can lead to unintended collection and transfer of sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow explicitly includes automatic folder creation, document upload, permission setting, and user notification, but the HTML provides no visible warning or consent checkpoint before these actions. In this skill's context, that increases the risk of silent exfiltration or over-sharing of processed content to cloud storage, especially if source material includes private messages, OCR text, or transcribed media.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code uploads generated notes to Feishu and then makes them publicly accessible without any visible user-facing warning or consent step in the workflow. Silent public publication is dangerous because users may provide private links, summaries, or proprietary material expecting note generation, not internet-accessible sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill uploads processed content to Feishu Drive automatically after parsing, without an explicit confirmation step or clear notice to the user at the point of action. Because the skill processes arbitrary URLs and user text, this can cause unintended persistence of sensitive content in external storage.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill changes uploaded files to publicly accessible/open and allows broad comment/view access without explicit user consent. This is dangerous because any sensitive or copyrighted content processed by the skill may become accessible beyond the intended workspace, substantially increasing confidentiality and compliance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill uploads user-derived notes to Feishu and makes them publicly accessible without any visible user-facing warning or consent gate. In this skill context, users are sending links for knowledge capture, not necessarily authorizing public redistribution, so the behavior materially increases the risk of data exposure and unauthorized sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code transmits a sensitive session token in the Cookie header during outbound requests, but the file contains no visible consent, warning, scoping, or handling safeguards for that credential. In a plugin ecosystem, silent use of login credentials increases the risk of unauthorized account-data access, accidental logging, misuse by downstream code, or future expansion into more sensitive authenticated actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal