中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Low Risk — Risk Score 15/100
Last scan:5 hr ago Rescan
15 /100
feishu-report-summary
Read Feishu work-report data through the Report v1 API and turn it into daily or weekly summaries.
Feishu 汇报数据读取技能,代码功能与文档声明一致,仅存在无版本锁定的轻微供应链瑕疵。
Skill Namefeishu-report-summary
Duration32.1s
Enginepi
ClawHub Feishu Report Summary v1.0.0 by taype
📥 163
ClawHub Verdict Suspicious dangerous_exec
Safe to install
可安全使用。建议在生产环境中为 @larksuiteoapi/node-sdk 指定版本锁定,以符合安全最佳实践。

Findings 1 items

Severity Finding Location
Low
第三方 SDK 依赖无版本锁定 Supply Chain
@larksuiteoapi/node-sdk 在 fetch_report_tasks.js 中通过 findOpenClawRoot() 动态定位加载,脚本本身没有 package.json 声明依赖版本。npm install 无版本锁定可能导致依赖漂移或引入恶意版本。
const sdkPath = path.join(openClawRoot, 'node_modules', '@larksuiteoapi', 'node-sdk');
→ 在技能目录下创建 package.json 并声明 @larksuiteoapi/node-sdk 及其兼容版本。
 scripts/fetch_report_tasks.js:235
ResourceDeclaredInferredStatusEvidence
Shell NONE READ ✓ Aligned scripts/fetch_report_tasks.js:226-231 — execFileSync 仅用于 npm root -g 和 which ope…
Filesystem READ READ ✓ Aligned scripts/fetch_report_tasks.js:296-311 — 读取 ~/.openclaw/openclaw.json,与 SKILL.md …
Network READ READ ✓ Aligned scripts/fetch_report_tasks.js:350-360 — 仅向 Feishu 内部 API 端点发请求,无外部数据外传
Environment NONE READ ✓ Aligned scripts/fetch_report_tasks.js:299 — 读取 FEISHU_APP_ID、FEISHU_APP_SECRET、OPENCLAW_…

File Tree

4 files · 23.5 KB · 767 lines
JavaScript 1f · 677L Markdown 2f · 86L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 233 B
├─ 📁 references
│ └─ 📝 summary-template.md Markdown 19L · 384 B
├─ 📁 scripts
│ └─ 📜 fetch_report_tasks.js JavaScript 677L · 20.3 KB
└─ 📝 SKILL.md Markdown 67L · 2.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
@larksuiteoapi/node-sdk unknown dynamically resolved from openclaw installation No 无版本锁定;依赖通过 findOpenClawRoot() 从已安装的 openclaw 包中定位,无独立 package.json 声明

Security Positives

✓ 代码功能与 SKILL.md 文档声明完全一致,无阴影功能
✓ shell 执行仅使用 execFileSync,未使用 shell 字符串拼接,无注入风险
✓ 凭证仅用于本地 Feishu API 调用,未外传或持久化
✓ 无 base64/eval/混淆代码
✓ 无敏感路径遍历(如 ~/.ssh、.env 除外,但目的仅读取已授权的 openclaw.json)
✓ API 错误处理完善,无硬编码凭证