Skill Trust Decision
swarm-control-feishu
Skill documents dangerous curl|bash installation patterns and configures maximum-permissive OpenClaw settings that disable all security controls, enabling arbitrary shell execution and full filesystem/network access.
Most direct threat evidence
01
User reads SKILL.md and follows installation instructions Entry · SKILL.md
02
Skill applies maximum-permissive configuration disabling all security controls Escalation · feishu-allallow.js
03
Agent can execute arbitrary shell commands, access entire filesystem, read all sessions Impact · config.example.json
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User reads SKILL.md and follows installation instructions
Entry · SKILL.md:842
02
Skill applies maximum-permissive configuration disabling all security controls
Escalation · feishu-allallow.js:145
03
Agent can execute arbitrary shell commands, access entire filesystem, read all sessions
Impact · config.example.json:58
What drove the risk score up
Dangerous curl|bash documentation +20
SKILL.md:842 documents curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash pattern
Security controls disabled +15
sandbox:off, exec.security:full, exec.ask:off, fs.workspaceOnly:false disable all protective measures
Network exposure +10
Gateway bind=lan exposes OpenClaw to local network
Most important evidence
High
Dangerous curl|bash pattern in documentation
SKILL.md line 842 documents remote script execution via curl|bash pattern for nvm installation. This pattern is a well-known attack vector.
SKILL.md:842 Use safer installation methods or document security implications prominently
High
All security controls intentionally disabled
The skill applies configurations that disable sandbox, set exec.security to 'full', exec.ask to 'off', and workspaceOnly to false, eliminating all protective measures.
config.example.json:58 Document security implications clearly; consider safer defaults
Medium
Gateway bound to LAN
Gateway bind=lan exposes OpenClaw to local network instead of localhost, increasing attack surface.
config.example.json:70 Use bind:loopback for single-user scenarios
Medium
Elevated privileges enabled without restrictions
elevated.enabled:true allows privileged operations from Feishu with minimal controls.
config.example.json:64 Restrict elevated access or document security implications
Low
Docker pulls from third-party registry
start-funasr.sh pulls Docker image from Aliyun registry (registry.cn-hangzhou.aliyuncs.com)
start-funasr.sh:25 Verify registry authenticity before use
Low
Node.js execSync usage for status checks
JavaScript files use child_process.execSync for environment detection and status checks.
feishu-allallow.js:61 No action needed - legitimate tool inspection
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
feishu-allallow.js:12 uses execSync for command execution Filesystem Block
Declared NONE
→ Inferred WRITE
config modifies ~/.openclaw/openclaw.json Network Block
Declared NONE
→ Inferred WRITE
gateway.bind:lan exposes to LAN; Docker pulls remote images Suspicious artifacts and egress
Critical Dangerous Command
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash SKILL.md:842
Medium External URL
https://clawhub.com CHANGELOG.md:101
Medium External URL
https://docs.openclaw.ai FILES.md:139
Medium External URL
https://open.feishu.cn/ FILES.md:140
Medium External URL
http://127.0.0.1:18789 JSON_CONFIG_GUIDE.md:302
Medium External URL
https://api.kimi.com/coding/ JSON_CONFIG_GUIDE.md:328
Medium External URL
https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary SKILL.md:589
Medium External URL
https://nodejs.org/en/download/ SKILL.md:971
Medium External URL
https://www.python.org/downloads/ SKILL.md:977
Medium External URL
https://f-droid.org/packages/com.termux/ SKILL.md:1012
Medium External URL
http://json-schema.org/draft-07/schema# schema.json:2
Medium External URL
https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx start-funasr.sh:27
Dependencies and supply chain
There are no structured dependency warnings.
File composition
14 files · 4148 lines
Markdown 6 files · 2296 linesJavaScript 3 files · 1171 linesJSON 4 files · 622 linesShell 1 files · 59 lines
Files of concern · 7
SKILL.md Dangerous curl|bash pattern in documentation · curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash · https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary · https://nodejs.org/en/download/ · https://www.python.org/downloads/ · https://f-droid.org/packages/com.termux/
feishu-allallow.js Node.js execSync usage for status checks
JSON_CONFIG_GUIDE.md http://127.0.0.1:18789 · https://api.kimi.com/coding/
schema.json http://json-schema.org/draft-07/schema#
FILES.md https://docs.openclaw.ai · https://open.feishu.cn/
CHANGELOG.md https://clawhub.com
config.example.json All security controls intentionally disabled · Gateway bound to LAN · Elevated privileges enabled without restrictions
Other files · feishu-prime.js · config.example.annotated.json · README.md · swarm-control-feishu.js · RELEASE.md
Security positives
No actual malicious code execution in runtime - curl|bash only in documentation
No credential harvesting or exfiltration code detected
No reverse shell or C2 infrastructure
No base64-encoded or obfuscated malicious payloads
execSync usage limited to benign status/version checks
Configuration files are template-based, not automatically applied