ClawHub

Feishu Multiagent Onboard

Security checks across malware telemetry and agentic risk

Overview

This Feishu setup skill appears purpose-aligned, but users should treat the App Secret as a sensitive credential because it is stored locally in plaintext configuration.

Install only if you are comfortable storing Feishu app credentials in your local OpenClaw config. Use a dedicated Feishu app with minimum required permissions, keep ~/.openclaw/openclaw.json private, avoid committing or backing up the real App Secret in plaintext, and rotate the Feishu secret if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The debug routine executes multiple shell commands (`openclaw plugins list | grep feishu`, `openclaw status`, and `tail ... | grep ...`) via `execSync`. Although the commands are mostly hardcoded and there is no obvious direct user-controlled injection in this file, invoking a shell for diagnostics increases attack surface through shell interpretation, PATH/alias hijacking, and unintended command execution in compromised environments.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The JSON validation function shells out with ``cat ${CONFIG_PATH} | python3 -m json.tool`` even though the file is already read and parsed safely elsewhere. Using a shell for validation is unnecessary and risky because `CONFIG_PATH` is interpolated unquoted into the command string, enabling command injection if the home directory path contains shell metacharacters.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README includes example configuration containing Feishu appId and appSecret fields but does not warn users to treat these values as secrets, avoid committing them to source control, or prefer environment/secret storage. In a setup/onboarding skill, documentation strongly influences user behavior, so this omission can lead to accidental credential exposure in repos, logs, screenshots, or shared config files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide tells users to place App ID and especially App Secret directly into a local JSON config file and even suggests backing that file up, but it does not warn that these are sensitive credentials or describe secure storage practices. This increases the risk of accidental exposure through file permissions, backups, screenshots, shell history, repository commits, or shared workstations, which could allow unauthorized use of the Feishu application.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The wizard prompts for `App Secret` and writes it directly into `~/.openclaw/openclaw.json` without warning the user that the credential will be stored persistently in plaintext. In a local onboarding skill this may be operationally necessary, but the lack of disclosure and protection increases the chance of credential exposure through local file access, backups, logs, or misconfigured permissions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal