Skill Trust Decision

swarm-control-feishu

Name: swarm-control-feishu Trust Review Report
Item: swarm-control-feishu
Rating: 55
Author: ClawSafe

合法但危险的配置工具，通过文档化方式系统性地禁用安全控制，存在较高滥用风险

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 14

Artifacts 12

Violations 0

Findings 6

Most direct threat evidence

用户通过飞书发送恶意指令 Entry · SKILL.md

无沙箱限制直接执行 shell 命令 Escalation · feishu-prime.js

无确认直接执行危险操作 Escalation · feishu-prime.js

Why this conclusion was reached

2/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

2 dependency or supply-chain issues need attention.

Attack Chain

用户通过飞书发送恶意指令

Entry · SKILL.md:1

无沙箱限制直接执行 shell 命令

Escalation · feishu-prime.js:175

无确认直接执行危险操作

Escalation · feishu-prime.js:182

workspaceOnly=false 访问 ~/.ssh/id_rsa

Impact · feishu-prime.js:185

What drove the risk score up

系统性禁用安全控制 +20

sandbox:off + exec:security=full + exec:ask=off 组合禁用所有运行时保护

文档中包含远程脚本执行 +10

SKILL.md:965 包含 curl|bash 管道安装 nvm

全文件系统访问 +10

fs.workspaceOnly=false 允许访问用户主目录和系统文件

权限设计意图可疑 +5

elevated.enabled=true + allowFrom.feishu=[] 允许任何飞书用户执行特权命令

Most important evidence

High

系统性禁用安全沙箱

配置明确设置 sandbox:{mode:'off'}，禁用所有容器化隔离

feishu-prime.js:175

仅在完全可信的隔离环境中使用

High

执行无确认机制

exec:{ask:'off'} 完全禁用命令执行前确认，任何注入指令立即执行

feishu-prime.js:182

考虑设置 ask:prompt 或在受控场景使用

Medium

全文件系统访问

fs:{workspaceOnly:false} 允许访问主目录和系统路径 (~/.ssh, ~/.aws, /etc 等)

feishu-prime.js:185

限制 workspaceOnly 为 true 以减少攻击面

Medium

文档包含远程脚本执行

SKILL.md:965 包含 curl|bash 管道下载安装 nvm，标准安装步骤但存在潜在风险

SKILL.md:965

建议用户验证脚本来源后再执行

Medium

Elevated 权限未限制来源

elevated.allowFrom.feishu=[] 空数组允许任何飞书用户执行特权命令

feishu-prime.js:189

限制特定飞书用户ID: allowFrom: { feishu: ['ou_xxx'] }

Low

Gateway 允许不安全认证

controlUi.allowInsecureAuth=true 禁用认证检查

feishu-prime.js:195

仅在内网环境启用

Declared capability vs actual capability

Filesystem Pass

Declared WRITE

→

Inferred WRITE

SKILL.md 明确声明全权限配置

Shell Pass

Declared ADMIN

→

Inferred ADMIN

exec:{security:full, ask:off} 完全无限制

Network Pass

Declared READ

→

Inferred READ

飞书 WebSocket 连接配置

Environment Pass

Declared NONE

→

Inferred READ

os.networkInterfaces() 读取网络配置

Skill Invoke Pass

Declared ADMIN

→

Inferred ADMIN

sessions.visibility=all 允许跨Agent调用

Suspicious artifacts and egress

Critical Dangerous Command

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash

SKILL.md:965

Medium External URL

https://clawhub.com

CHANGELOG.md:101

Medium External URL

https://docs.openclaw.ai

FILES.md:139

Medium External URL

https://open.feishu.cn/

FILES.md:140

Medium External URL

http://127.0.0.1:18789

JSON_CONFIG_GUIDE.md:302

Medium External URL

https://api.kimi.com/coding/

JSON_CONFIG_GUIDE.md:328

Medium External URL

https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary

SKILL.md:712

Medium External URL

https://nodejs.org/en/download/

SKILL.md:1094

Medium External URL

https://www.python.org/downloads/

SKILL.md:1100

Medium External URL

https://f-droid.org/packages/com.termux/

SKILL.md:1135

Medium External URL

http://json-schema.org/draft-07/schema#

schema.json:2

Medium External URL

https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx

start-funasr.sh:27

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
funasr	`*`	pip	No	语音转文字依赖，无版本锁定
onnxruntime	`*`	pip	No	ONNX推理引擎，无版本锁定
funasr-runtime-sdk-cpu-0.4.5	`0.4.5`	docker	No	阿里云Docker镜像

File composition

14 files · 4270 lines

Markdown 6 files · 2419 linesJavaScript 3 files · 1171 linesJSON 4 files · 621 linesShell 1 files · 59 lines

Files of concern · 6

SKILL.md Markdown · 1292 lines

文档包含远程脚本执行 · curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash · https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary · https://nodejs.org/en/download/ · https://www.python.org/downloads/ · https://f-droid.org/packages/com.termux/

feishu-prime.js JavaScript · 513 lines

系统性禁用安全沙箱 · 执行无确认机制 · 全文件系统访问 · Elevated 权限未限制来源 · Gateway 允许不安全认证

JSON_CONFIG_GUIDE.md Markdown · 550 lines

http://127.0.0.1:18789 · https://api.kimi.com/coding/

schema.json JSON · 217 lines

http://json-schema.org/draft-07/schema#

FILES.md Markdown · 142 lines

https://docs.openclaw.ai · https://open.feishu.cn/

CHANGELOG.md Markdown · 107 lines

https://clawhub.com

Other files · feishu-allallow.js · config.example.annotated.json · README.md · swarm-control-feishu.js · RELEASE.md · config.example.json

Security positives

代码无隐蔽行为，所有功能均在文档中声明

未发现凭证收割、远程控制、数据外泄等恶意行为

配置文件写入有备份机制 (backup.${timestamp})

提供配置检查命令，可审计当前安全状态

Docker 容器隔离语音服务，不影响主机