ClawHub
Back to skill

Security audit

feishu-operations

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Feishu help skill; its risky topics are normal product guidance, but users should handle sharing, exports, recordings, location, and automations carefully.

Safe to install as a reference guide. Before following its instructions, confirm recipients and permissions, avoid public links for sensitive files, protect webhook URLs and API keys, get required consent for recordings/transcripts, and treat exported chats or documents as sensitive copies outside Feishu controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document gives operational guidance for bots, webhooks, APIs, workflows, and account-creation automation, but it omits basic security guardrails such as protecting webhook URLs/API keys, minimizing permissions, validating destinations, rate limiting, approval controls, and avoiding sensitive data in notifications. In a collaboration platform context, users may directly follow this guidance to build automations that leak internal data, spam users, or make unintended system changes, so the omission creates a real security weakness even though it is instructional content rather than executable code.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document states that meeting recording, transcription, and summary generation happen automatically, but it does not warn about consent, privacy, retention, or legal/compliance obligations. In a collaboration skill, this can normalize recording sensitive meetings without participant awareness, increasing risk of privacy violations and unauthorized capture of confidential business or personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Documenting that recordings are automatically saved to cloud storage without any caution about access control or data sensitivity can lead users to assume this is always safe by default. If meeting content includes confidential, regulated, or personal information, automatic cloud storage may expose data more broadly than intended through misconfigured sharing or weak retention practices.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document-sharing section gives operational steps for generating links, assigning permissions, sharing to chats, and inviting collaborators, but does not warn users about the risk of oversharing sensitive content or misconfiguring access. In a collaboration skill, this omission can directly lead to unintended exposure of internal documents, especially because users are being taught how to distribute access at scale.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The export and print instructions explain how to download PDF, Word, and HTML copies or print a document, but omit any warning that offline copies are no longer protected by cloud-native sharing controls, auditability, or revocation. This can cause accidental data leakage when sensitive documents are stored locally, emailed onward, or physically distributed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance explicitly describes creating public sharing links and permissive access modes such as '任何人可见' without pairing them with warnings about data exposure, least-privilege defaults, or when public links are inappropriate. In a file-management skill, this omission can lead users to unintentionally expose internal or sensitive documents outside the organization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users how to export chat history but omits any warning that exported files may contain sensitive personal, business, or regulated data and may be stored insecurely once outside the platform. In an operations/help skill, this omission can lead users to normalize risky data handling and unintentionally disclose conversations through local files, shared folders, or onward transmission.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions explain how to send live/current location without warning that precise location sharing can expose a user's whereabouts, routines, or sensitive sites such as home or workplace. Because this is general end-user guidance, users may follow it without understanding the privacy and physical-safety implications of oversharing location data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting email forwarding without noting that message content will leave the messaging platform and be copied into email infrastructure creates a real confidentiality risk. Forwarded messages may be retained, indexed, auto-forwarded again, or accessed under weaker security controls than the original chat system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.