Security Audit

feishu-memory-recall

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

feishu-memory-recall received a trust score of 76/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Reads sensitive OpenClaw session file from home directory.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

91%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
HIGH	Reads sensitive OpenClaw session file from home directory The skill explicitly reads `~/.openclaw/agents/main/sessions/sessions.json` from the user's home directory. This file is highly likely to contain sensitive session information or credentials for other OpenClaw agents or services. While the `SKILL.md` describes this as part of 'auto-discovery' for Feishu groups, granting a skill direct read access to such a broad and sensitive file outside its immediate operational scope poses a significant data exfiltration risk if the skill is compromised or designed maliciously. The skill gains access to the full content of this file, which could include credentials for unrelated services. Restrict the skill's filesystem access to its own directory and explicitly defined data storage locations. If session data is genuinely required for auto-discovery, consider providing a more granular API or a sandboxed mechanism to access only the necessary Feishu-related session information, rather than reading the entire `sessions.json` file directly from the home directory. Ensure that `sessions.json` does not contain credentials or sensitive data for other services that are not directly relevant to Feishu group discovery.	LLM	index.js:27
MEDIUM	Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^14.0.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/autogame-17/feishu-memory-recall/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/autogame-17/feishu-memory-recall/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/dceb8e1580a03462.svg)](https://skillshield.io/report/dceb8e1580a03462)