ClawHub

Openclaw Feishu 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate OpenClaw Feishu/Lark integration, but it can read and modify shared Feishu content, so it should be installed only with carefully scoped app permissions.

Install only if you intend to let OpenClaw operate on Feishu/Lark resources. Use least-privilege Feishu app scopes, keep permission management disabled unless needed, restrict dmPolicy/groupPolicy/allowFrom to trusted users and groups, avoid enabling dynamic agent creation or config writes broadly, and confirm any delete, overwrite, move, share, or full_access action before letting an agent perform it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code can automatically create a new agent per DM user, create workspace/agent directories on disk, and rewrite the persistent config file without any user approval step. Even if intended as a product feature, self-modifying configuration and per-user persistent workspaces increase attack surface, enable unbounded state growth, and let external users indirectly trigger local file and config changes.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill ingests Feishu Drive comment events, builds prompts from document/comment context, and explicitly instructs the agent to perform document edits and post follow-up comments. This extends the skill from chat monitoring into document-reading and document-modification workflows, which can expose sensitive document content and enable unintended edits if routing or authorization is misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code treats any outbound text that looks like an absolute local image path as a file to upload automatically, instead of sending it as literal text. This can exfiltrate local files if an upstream agent, prompt injection, or user-supplied content causes a path such as '/home/user/secrets.png' to be emitted, and there is no confirmation or explicit opt-in before the file is accessed and transmitted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file exposes a remote `delete` action that deletes Feishu Drive files directly with no built-in confirmation, dry-run mode, or stronger safety gating. In an agent setting, ambiguous prompts, prompt injection, or model error can cause irreversible destructive operations against user data once the tool is invoked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
A DM from a user can trigger automatic creation of directories and persistent config updates with no user-facing warning or admin approval. That means external interaction can mutate long-lived local state and provision new agent identities, creating surprise persistence and possible resource exhaustion or policy bypass.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Inbound media and embedded post attachments are downloaded and saved to disk automatically during message processing. Silent persistence of user-supplied files increases privacy risk, malware-handling risk, disk consumption risk, and can surprise operators if retention and storage location are not clearly controlled.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text uses broad phrases like 'Feishu docs', 'cloud docs', or 'docx links', which can cause the skill to trigger in situations where the user did not explicitly intend document access. Because this skill supports both read and write operations on remote documents, over-broad invocation increases the chance of unintended document access or modification in response to ambiguous prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents a 'write' action that replaces the entire document but does not prominently require user confirmation or warn that existing content will be destroyed. In a tool that operates on live collaboration documents, this creates a substantial risk of accidental data loss or unauthorized destructive edits if the action is selected from an ambiguous request or mistaken token.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text uses broad terms like 'cloud space,' 'folders,' and 'drive,' which can match many ordinary user requests and cause the skill to activate outside clear user intent. Because this skill exposes file-management capabilities, over-broad triggering increases the chance of unintended access to listing, moving, creating, or deleting cloud storage content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents destructive and state-changing operations such as create, move, and delete without any user-facing warning, confirmation requirement, or safety guardrails. In a file storage context, accidental or ambiguous invocation could lead to data loss, unauthorized reorganization, or disruption of shared workspace content, especially since the skill may operate on shared bot-accessible folders.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation text uses broad, common collaboration terms like sharing, permissions, and collaborators, which can cause the skill to trigger during ordinary discussion rather than an explicit request to change access controls. Because this tool can add, remove, or elevate collaborators on sensitive resources, over-broad activation increases the chance of unintended permission changes or exposure of collaborator information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes add and remove permission operations without an explicit warning that these actions modify access to shared resources and may revoke or grant access to sensitive documents. In a permission-management context, missing safety guidance makes accidental misuse more likely, especially for destructive actions like removal or granting full_access.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation text uses broad phrases like 'knowledge base', 'wiki', or 'wiki links', which are common in normal conversation and can cause the skill to activate outside narrow user intent. Because this skill exposes both navigation and modification actions, overbroad activation increases the chance of unintended access to wiki metadata or accidental content changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents create, move, rename, and wiki-doc edit workflows without prominently warning that these operations modify user content. In an agent setting, this can lead to silent or mistaken state-changing actions on knowledge base pages, especially when combined with broad activation and a dependency on a write-capable document tool.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal