Security audit

Feishu Zh6

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Feishu messaging skill, but users should verify recipients and files before sending anything outside their workspace.

Install this only if you want the agent to send Feishu messages and selected workspace files. Before each send, check the Feishu user ID, message text, and file path; avoid sending secrets or private documents unless you intentionally want to share them, and only download images from trusted URLs before forwarding them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill instructs the agent to send text, images, and files through Feishu, including local files from ~/.openclaw/workspace, but it does not warn that doing so transmits potentially sensitive local content to an external third-party service. In an agent setting, that omission can lead users to unknowingly authorize exfiltration of private data, credentials, documents, or screenshots to an external recipient or platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal