ClawHub

Feishu Send Files

Security checks across malware telemetry and agentic risk

Overview

This is a real Feishu file-sending skill, but it has broad chat triggers and can upload arbitrary readable local files without strong confirmation safeguards.

Install only after reviewing the code and tightening usage. Use explicit bot mentions or CLI commands, always specify and verify the recipient, avoid broad keyword searches and “all”, do not send sensitive paths, and replace the 0777 log permissions with owner-only permissions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The documentation is internally inconsistent about the `--to` parameter: one section says it is required, while other sections state that omitting it defaults to sending to a personal recipient. For a file-sending skill, ambiguity around the destination can directly cause misdelivery of potentially sensitive files, especially when operators rely on the 'required' wording and assume the tool will refuse unsafe invocations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads global OpenClaw configuration from the user's home directory and also writes a new workspace config file automatically. For a file-sending skill, modifying user configuration is broader than necessary and creates an unexpected persistence/config-tampering capability that could redirect recipients or alter later behavior.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
The skill creates a local logs directory and appends operational data including chat IDs, open IDs, filenames, and selection activity. This is an unnecessary local data collection surface for the stated capability and may expose sensitive identifiers or file metadata to other local users if permissions are weak.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill recursively searches the local workspace using user-supplied keywords and can enumerate matching files before sending them. That broadens the capability from 'send a specified file' to discovery of local content, which increases the risk of unintended disclosure of sensitive files present in the workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill accepts arbitrary absolute paths from chat input and CLI arguments, then uploads the referenced file to Feishu if it exists. This allows exfiltration of files outside the workspace, including sensitive files from the host filesystem, making the context especially dangerous because the skill's purpose is direct file transfer to an external service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README describes a very broad natural-language trigger pattern for the bot mode, such as '发送 ... 文件' or keyword-based matching, without clearly defining confirmation steps or strict activation boundaries. In an agent or chat environment, this can cause unintended activation from ordinary conversation and may lead to accidental file discovery or transmission if the implementation follows this loose behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README prominently advertises support for sending files from arbitrary local paths to Feishu, but does not clearly warn that this is a data exfiltration capability affecting any readable local file. In a desktop or agent workspace context, users may underestimate the sensitivity of local files and invoke the skill in ways that leak confidential documents to chat recipients.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises natural-language and broad everyday trigger phrases such as '帮我发' and '发一下', which can cause accidental invocation from ordinary chat rather than an intentional tool request. In the context of a file-transfer skill, unintended activation is more dangerous because it may initiate file discovery, interactive selection, or actual delivery of files to chats or users without clear user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The `contains` and permissive `prefix_match` rules are overly broad and can match routine conversation mentioning '发文件' or similar language. Because this skill can search the workspace and send files externally via Feishu, false activations materially increase the risk of unintended file enumeration and disclosure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases in this range are broad natural-language prefixes such as '帮我发', '发一下', and '把文件', which can match many ordinary conversational requests unrelated to an intentional invocation of this skill. Because this skill sends files and auto-detects group/user IDs, accidental activation could cause unintended file transmission to the wrong recipient or channel.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The contains-match triggers for '发文件' and '发送文件' can activate when those words appear incidentally inside a larger sentence, creating a high risk of unintended execution. In a file-sending skill, ambiguous activation is especially dangerous because it can turn casual discussion about sending files into a real action that distributes attachments or sensitive documents.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
|------|----------|
| **文件发错地方(发到个人而不是群里)** | 机器人触发时自动识别;命令行调用必须加 `--to "chat:群聊 ID"` |
| 文件名异常 | 使用最终版 index.js |
| 无日志 | 赋权 logs 目录:`chmod -R 777 logs` |
| 机器人无响应 | 重启 OpenClaw,检查文件路径 |
| 发送失败 | 检查飞书权限与 appId/appSecret 配置 |
| token 获取失败 | 检查 appId/appSecret 是否正确 |
Confidence
95% confidence
Finding
chmod -R 777

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal