Scan Report
5 /100
baikexia
蜗牛公司百科虾技能包,为员工解答公司相关问题
A legitimate company knowledge base Q&A skill for Walter company with proper documentation and only declared Feishu API integration.
Safe to install
No action required. The skill performs its documented function of syncing and searching a company knowledge base via Feishu API.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Hardcoded wiki configuration Sensitive Access | scripts/sync.js:40 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | cache/content.json creation in sync.js |
| Network | READ | READ | ✓ Aligned | HTTPS requests to open.feishu.cn for API calls |
| Shell | NONE | NONE | — | No subprocess or shell execution observed |
| Environment | NONE | READ | ✓ Aligned | OPENCLAW_AGENT_NAME env var read in send-message.js |
2 findings
Medium External URL 外部 URL
https://open.feishu.cn/open-apis scripts/send-message.js:16 Medium External URL 外部 URL
https://campsnail.feishu.cn/wiki/$ scripts/sync.js:616 File Tree
5 files · 62.3 KB · 1806 lines JavaScript 3f · 1586L
Markdown 1f · 215L
JSON 1f · 5L
├─
▾
scripts
│ ├─
search.js
JavaScript
│ ├─
send-message.js
JavaScript
│ └─
sync.js
JavaScript
├─
_meta.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ No obfuscation techniques (base64, eval) detected
✓ No shell command execution (subprocess) observed
✓ No credential exfiltration - credentials only used for Feishu API authentication
✓ No network requests to unknown external IPs - only communicates with open.feishu.cn
✓ All functionality declared in SKILL.md documentation
✓ Clean codebase with no hidden functionality
✓ Uses Node.js native https module instead of curl/wget