Security Audit

WilsonLiu95/openclaw-skills:skills/feishu

github.com/WilsonLiu95/openclaw-skills

AI SkillCommit dacc554a65f5

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

WilsonLiu95/openclaw-skills:skills/feishu received a trust score of 54/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Direct source dependency in package.json, Unpinned npm dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit dacc554a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

93%

Static Code Analysis

100%

Dependency Graph

76%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
HIGH	Direct source dependency in package.json Dependency '@openclaw-feishu/feishu-client' uses non-registry source 'file:../../projects/skills-dev/feishu/lib/feishu-client', which increases supply-chain risk. Prefer vetted registry releases pinned to exact versions.	Dependencies	skills/feishu/package.json
HIGH	Unrestricted Local File System Access The skill exposes multiple functions (`uploadFile` in `src/docs.ts`, `sendAttachment` in `src/im.ts`, `ocrImage`/`speechToText` in `src/ai.ts`) that accept an arbitrary `filePath` argument and read the file directly from the local filesystem. There is no path validation or sandboxing to restrict access to a specific working directory. This allows an attacker (via prompt injection) to instruct the agent to read and exfiltrate arbitrary sensitive files (e.g., SSH keys, system configuration, environment files) from the host machine by uploading them to Feishu or processing them via AI APIs. Implement a strict filesystem sandbox. Configure a specific allowed directory (e.g., `process.env.WORKSPACE_DIR`). In all functions accepting `filePath`, resolve the path using `path.resolve()` and verify it starts with the allowed directory path. Reject any paths pointing outside the sandbox.	LLM	src/docs.ts:190
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/feishu/tests/test_all_modules.js:144
MEDIUM	Unpinned npm dependency version Dependency '@types/node' is not pinned to an exact version ('^25.2.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/feishu/package.json
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/feishu/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b7204c6e4fe7a80e.svg)](https://skillshield.io/report/b7204c6e4fe7a80e)