ClawHub

data-analysis-for-feishu

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate Feishu-ready charts as advertised, but it under-discloses that user data is rendered with a headless browser loading third-party ECharts code from a CDN.

Review before installing if you will process sensitive business data. Use it in an isolated environment, consider vendoring ECharts locally or blocking external browser network access, and verify the marketplace capability tags because crypto/purchase tags do not match the reviewed artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises substantial capabilities that imply file writing, network access, and shell-like execution paths, but the manifest text shown in SKILL.md does not declare corresponding permissions or clearly scope them. This creates a transparency and policy-enforcement gap: users or the hosting platform may approve the skill without understanding that it can download dependencies, fetch remote resources, and write outputs to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior understates security-relevant functionality: generating Feishu card JSON expands output/use scope, and fetching ECharts from an external CDN introduces undisclosed network dependence and supply-chain risk. Users expecting a local, out-of-the-box visualization tool may unknowingly permit remote code/resource retrieval during rendering, which can affect confidentiality, integrity, and reproducibility.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code claims to operate fully locally, but it injects a remote script from jsDelivr into a headless browser. That creates an unintended network dependency and allows external code to run during rendering, which can leak metadata, fail in restricted environments, or expose the process to supply-chain compromise if the CDN or package is tampered with.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation states that dependencies are automatically installed and Chromium is downloaded on first run, but it does not present this as a prominent security warning or require explicit consent. Silent installation of software and browser binaries increases attack surface and can violate operator expectations in restricted or production environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal