Trust Assessment
feishu received a trust score of 29/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 0 critical, 7 high, 4 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Potential hardcoded secret (high entropy), Direct source dependency in package.json.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct source dependency in package.json Dependency '@openclaw-feishu/feishu-client' uses non-registry source 'file:../../projects/skills-dev/feishu/lib/feishu-client', which increases supply-chain risk. Prefer vetted registry releases pinned to exact versions. | Dependencies | skills/wilsonliu95/feishu-pro/package.json | |
| HIGH | Arbitrary Local File Read and Exfiltration Several skill functions (`ocrImage`, `speechToText`, `uploadFile`, `sendAttachment`) accept a `filePath` argument. If an AI agent or an attacker can control this parameter, they could instruct the skill to read arbitrary files from the local filesystem (e.g., `/etc/passwd`, `.env` files, or other sensitive data) and then exfiltrate their content by uploading them to Feishu via OCR, speech-to-text, drive upload, or IM attachment functionalities. This poses a significant data exfiltration risk. Implement strict validation and sanitization for `filePath` arguments. Restrict file access to a designated, isolated directory (e.g., a temporary upload folder) and ensure that paths cannot traverse outside this boundary. Consider using a file picker or content ID system instead of direct file paths where possible. | LLM | src/ai.ts:30 | |
| HIGH | Arbitrary Local File Read and Exfiltration The `speechToText` function accepts a `filePath` argument. If an AI agent or an attacker can control this parameter, they could instruct the skill to read arbitrary files from the local filesystem (e.g., `/etc/passwd`, `.env` files, or other sensitive data), base64-encode them, and then exfiltrate their content by sending them to Feishu's speech-to-text API. This poses a significant data exfiltration risk. Implement strict validation and sanitization for `filePath` arguments. Restrict file access to a designated, isolated directory (e.g., a temporary upload folder) and ensure that paths cannot traverse outside this boundary. Consider using a file picker or content ID system instead of direct file paths where possible. | LLM | src/ai.ts:47 | |
| HIGH | Arbitrary Local File Read and Exfiltration The `uploadFile` function accepts a `filePath` argument. If an AI agent or an attacker can control this parameter, they could instruct the skill to read arbitrary files from the local filesystem (e.g., `/etc/passwd`, `.env` files, or other sensitive data) and then exfiltrate their content by uploading them to Feishu Drive. This poses a significant data exfiltration risk. Implement strict validation and sanitization for `filePath` arguments. Restrict file access to a designated, isolated directory (e.g., a temporary upload folder) and ensure that paths cannot traverse outside this boundary. Consider using a file picker or content ID system instead of direct file paths where possible. | LLM | src/docs.ts:150 | |
| HIGH | Arbitrary Local File Read and Exfiltration The `sendAttachment` function accepts a `filePath` argument. If an AI agent or an attacker can control this parameter, they could instruct the skill to read arbitrary files from the local filesystem (e.g., `/etc/passwd`, `.env` files, or other sensitive data) and then exfiltrate their content by sending them as IM attachments. This poses a significant data exfiltration risk. Implement strict validation and sanitization for `filePath` arguments. Restrict file access to a designated, isolated directory (e.g., a temporary upload folder) and ensure that paths cannot traverse outside this boundary. Consider using a file picker or content ID system instead of direct file paths where possible. | LLM | src/im.ts:90 | |
| HIGH | Hardcoded Credentials in Test File The `tests/runner.mjs` file contains hardcoded `FEISHU_APP_ID` and `FEISHU_APP_SECRET`. While this is in a test script, hardcoding sensitive credentials, even for testing purposes, is a security anti-pattern. If this file were ever accidentally deployed, committed to a public repository, or exposed, these credentials would be compromised, leading to unauthorized access to the Feishu application. Remove hardcoded credentials from all files. For testing, use environment variables, a secure configuration management system, or mock values. Ensure that sensitive data is never committed to version control or included in deployment artifacts. | LLM | tests/runner.mjs:7 | |
| HIGH | Hardcoded Credentials in Test File The `tests/runner.mjs` file contains hardcoded `FEISHU_APP_ID` and `FEISHU_APP_SECRET`. While this is in a test script, hardcoding sensitive credentials, even for testing purposes, is a security anti-pattern. If this file were ever accidentally deployed, committed to a public repository, or exposed, these credentials would be compromised, leading to unauthorized access to the Feishu application. Remove hardcoded credentials from all files. For testing, use environment variables, a secure configuration management system, or mock values. Ensure that sensitive data is never committed to version control or included in deployment artifacts. | LLM | tests/runner.mjs:8 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/wilsonliu95/feishu-pro/tests/test_all_modules.js:144 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.54) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/wilsonliu95/feishu-pro/tests/runner.mjs:10 | |
| MEDIUM | Unpinned npm dependency version Dependency '@types/node' is not pinned to an exact version ('^25.2.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/wilsonliu95/feishu-pro/package.json | |
| MEDIUM | Command Injection Vulnerability in Test Runner The `tests/runner.mjs` script uses `child_process.spawn` to execute `node` with a test file path (`testPath`) that can be influenced by `process.argv[2]`. If an attacker can control `process.argv[2]` in the environment where this test runner is executed, they could potentially inject and execute arbitrary Node.js scripts or commands. This poses a command injection risk to the test execution environment. Ensure that `process.argv[2]` is strictly validated and sanitized before being used to construct `testPath`. Ideally, only allow a predefined set of trusted test file names or use a more secure method for selecting test scripts that does not involve direct user input in command execution. | LLM | tests/runner.mjs:28 | |
| LOW | Local File Dependencies (Supply Chain Risk) The `package.json` and `package-lock.json` files specify dependencies (`@openclaw-feishu/feishu-client` and `@openclaw-feishu/feishu-utils`) using the `file:` protocol, pointing to local paths (`../../projects/skills-dev/feishu/lib/`). While common in monorepos, this means the skill relies on specific local directory structures and the integrity of these local packages. If the skill is distributed without these local dependencies being properly published or bundled, it will fail. It also introduces a supply chain risk if the local source code for these dependencies is not rigorously controlled and audited, as changes there directly impact this skill without standard package manager checks. For production-ready skills, consider publishing these internal dependencies to a private package registry or bundling them directly into the skill package. Ensure that the source code for these local dependencies is subject to the same security scrutiny as the main skill. | LLM | package.json:7 | |
| LOW | Local File Dependencies (Supply Chain Risk) The `package.json` and `package-lock.json` files specify dependencies (`@openclaw-feishu/feishu-client` and `@openclaw-feishu/feishu-utils`) using the `file:` protocol, pointing to local paths (`../../projects/skills-dev/feishu/lib/`). While common in monorepos, this means the skill relies on specific local directory structures and the integrity of these local packages. If the skill is distributed without these local dependencies being properly published or bundled, it will fail. It also introduces a supply chain risk if the local source code for these dependencies is not rigorously controlled and audited, as changes there directly impact this skill without standard package manager checks. For production-ready skills, consider publishing these internal dependencies to a private package registry or bundling them directly into the skill package. Ensure that the source code for these local dependencies is subject to the same security scrutiny as the main skill. | LLM | package.json:8 |
Scan History
Embed Code
[](https://skillshield.io/report/91221c9ca09896be)
Powered by SkillShield