ClawHub

Feishu Power Skill

Security checks across malware telemetry and agentic risk

Overview

This Feishu automation skill mostly matches its purpose, but it includes an under-disclosed scheduler feature that can run arbitrary local Python scripts from YAML configuration.

Install only if you need high-trust Feishu automation. Use a dedicated least-privilege Feishu app, avoid broad workspace scopes, test with dry-run or local output before bulk updates or publishing, keep snapshots and generated reports out of shared folders and source control, and do not run schedule files from untrusted sources. Review or remove any schedule job with type custom, script, or args because it can execute local Python code with your user permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = os.path.join(SCRIPT_DIR, script)

    cmd = [sys.executable, script] + params.get("args", [])
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
    return {
        "type": "custom",
        "script": script,
Confidence
97% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and demonstrates capabilities requiring environment access, file I/O, network calls, and shell execution, yet it declares no permissions or safety boundaries. This creates a real security issue because an agent or host may invoke privileged operations without informed consent, review, or sandboxing assumptions being made explicit.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose centers on Feishu automation, reporting, and audits, but the static finding indicates broader capabilities including Wiki/Drive access and a YAML-driven custom script runner. Hidden or under-disclosed capabilities are dangerous because they expand the attack surface beyond user expectations and can enable arbitrary code execution or unauthorized data access through seemingly routine automation flows.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The wrapper exposes Wiki and Drive listing/creation capabilities beyond the core bitable/reporting use cases described in the skill metadata. This expands the accessible data surface and could enable unintended browsing or modification of broader tenant content if higher scopes are granted.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This scheduler advertises Feishu reporting automation but also includes a generic arbitrary-script execution mechanism, which materially expands the trust boundary beyond report generation. In practice, anyone able to influence the schedule file can turn the tool into a general code-execution launcher, enabling persistence, data theft, or lateral movement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to export Feishu application credentials as environment variables but provides no warning that these values are sensitive secrets that must not be logged, committed, or shared. In a skill explicitly designed for automation against external Feishu APIs, this omission increases the chance of credential mishandling and subsequent unauthorized access to Feishu data and operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises generating and publishing Feishu documents from Bitable data without warning that report contents will be transmitted to an external service and may contain sensitive business data. Given this skill's purpose—cross-table queries, templated reports, and publication—the lack of disclosure makes accidental exfiltration or inappropriate sharing more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The scheduled reporting and audit workflows can run automatically and generate or publish reports that affect user data, yet the documentation does not warn about these side effects or the risk of unattended execution. In this automation-heavy skill, scheduling increases danger because recurring jobs can repeatedly transmit, publish, or overwrite data at scale without an explicit user reminder.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are broad and likely to match ordinary user requests about Feishu, reports, or tables, which can cause the skill to activate in contexts where the user did not intend automation with write/publish side effects. In a skill that can modify data, publish reports, and run scheduled jobs, overbroad triggering increases the chance of unsafe or surprising execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documentation describes publishing reports, batch table operations, imports, updates, and scheduled execution without clear warnings that these actions can modify Feishu data or create externally visible artifacts. In this context, the absence of prominent warnings is risky because users may treat reporting commands as read-only while they actually write records, generate documents, or publish content automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The snapshot function exports an entire table, including record contents and the app_token, to a local JSON file without any warning, masking, encryption, or access-control safeguards. In an automation skill handling business tables, this creates a real confidentiality risk because sensitive operational data and credentials may be persisted to disk and later exposed through local compromise, backups, logs, or accidental sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code executes configured scripts without any confirmation, trust prompt, or warning to the operator, which increases the likelihood of unsafe execution from a tampered schedule. While the core issue is the arbitrary execution itself, the lack of disclosure and approval makes exploitation easier in operational environments where schedule files may be shared or edited by multiple parties.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal