Trust Assessment
feishu-sticker received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 4 critical, 2 high, 1 medium, and 1 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/feishu-sticker/send.js:2 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/feishu-sticker/send.js:192 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/autogame-17/feishu-sticker/send.js:228 | |
| CRITICAL | Command Injection via ffmpeg arguments The `send.js` script constructs `ffmpeg` commands by directly interpolating the `selectedFile` variable into the command string. If `selectedFile` contains shell metacharacters (e.g., `'; rm -rf /'`, `'$(cat /etc/passwd)'`), an attacker could execute arbitrary commands on the system where the skill is running. The `selectedFile` can be controlled by the user via the `--file` argument or by placing a maliciously named file in the `STICKER_DIR`. Use `spawnSync` or `execFileSync` with an array of arguments instead of a single command string to prevent shell interpretation. Ensure `selectedFile` is properly sanitized or validated if it's user-controlled. For example: `spawnSync(ffmpegPath, ['-i', selectedFile, '-vf', "scale='min(1000,iw)':min'(1000,ih)':force_original_aspect_ratio=decrease", '-q:v', '5', '-f', 'webp', '-'], { encoding: 'buffer' });` | LLM | send.js:300 | |
| HIGH | Missing `form-data` dependency in `package.json` The `send.js` file explicitly `require('form-data')` but `form-data` is not listed in the `dependencies` section of `package.json`. This will lead to a runtime error (`Cannot find module 'form-data'`) if the package is not installed, making the skill non-functional. The `SKILL.md` also lists `form-data` as a required dependency, confirming the intent. Add `"form-data": "^4.0.0"` (or the appropriate version) to the `dependencies` in `package.json`. | LLM | package.json:20 | |
| HIGH | Path Traversal vulnerability in `--file` argument The `send.js` script allows users to specify an image file path via the `--file` argument. The input `options.file` is resolved using `path.resolve(options.file)` and then used in `fs.readFileSync` and passed to `ffmpeg`. While `path.resolve` normalizes paths, it does not prevent access to arbitrary files outside the intended directory if the user provides a path like `/etc/passwd` or `C:\Windows\System32\drivers\etc\hosts`. This could lead to data exfiltration (reading arbitrary files) or denial of service (attempting to process large or invalid files). Implement strict validation for the `--file` argument. Ensure the resolved path is within an allowed, designated directory (e.g., `STICKER_DIR` or a temporary upload directory) using `path.relative` or similar checks. Alternatively, only allow file uploads through a secure mechanism that handles file storage and naming. | LLM | send.js:160 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^13.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/autogame-17/feishu-sticker/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/autogame-17/feishu-sticker/package.json | |
| INFO | Hardcoded default `STICKER_DIR` with specific username The `find.js` script defines a default `STICKER_DIR` as `/home/crishaocredits/.openclaw/media/stickers`. While this can be overridden by an environment variable, the presence of a specific username (`crishaocredits`) in a hardcoded default path is unusual. It might indicate an assumption about the deployment environment or inadvertently leak information about the developer's setup. It doesn't directly pose a security risk but is a potential misconfiguration or information leak. Change the default `STICKER_DIR` to a more generic path, such as `path.join(os.homedir(), '.openclaw/media/stickers')` (which `send.js` already uses as a fallback if `process.env.STICKER_DIR` is not set). Alternatively, remove the hardcoded default and always require `STICKER_DIR` to be set via an environment variable. | LLM | find.js:5 |
Scan History
Embed Code
[](https://skillshield.io/report/7e39cddf75c83cf6)
Powered by SkillShield