swarm-control-feishu Security Report — Suspicious | ClawSafe

45 /100

swarm-control-feishu

Multi-agent cluster management with Feishu integration

Skill documents dangerous curl|bash installation patterns and configures maximum-permissive OpenClaw settings that disable all security controls, enabling arbitrary shell execution and full filesystem/network access.

Skill Nameswarm-control-feishu

Duration37.7s

Enginepi

⚠

Use with caution

Review installation commands in SKILL.md; do not apply 'full permission' configurations unless in fully isolated environments; enable sandbox mode and restrict exec permissions.

Attack Chain 3 steps

◎

Entry User reads SKILL.md and follows installation instructions

SKILL.md:842

⬡

Escalation Skill applies maximum-permissive configuration disabling all security controls

feishu-allallow.js:145

◉

Impact Agent can execute arbitrary shell commands, access entire filesystem, read all sessions

config.example.json:58

Findings 6 items

Severity	Finding	Location
High	Dangerous curl\|bash pattern in documentation SKILL.md line 842 documents remote script execution via curl\|bash pattern for nvm installation. This pattern is a well-known attack vector. `curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh \| bash` → Use safer installation methods or document security implications prominently	`SKILL.md:842`
High	All security controls intentionally disabled The skill applies configurations that disable sandbox, set exec.security to 'full', exec.ask to 'off', and workspaceOnly to false, eliminating all protective measures. `"sandbox":{"mode":"off"},"exec":{"security":"full","ask":"off"},"fs":{"workspaceOnly":false}` → Document security implications clearly; consider safer defaults	`config.example.json:58`
Medium	Gateway bound to LAN Gateway bind=lan exposes OpenClaw to local network instead of localhost, increasing attack surface. `"gateway":{"bind":"lan"}` → Use bind:loopback for single-user scenarios	`config.example.json:70`
Medium	Elevated privileges enabled without restrictions elevated.enabled:true allows privileged operations from Feishu with minimal controls. `"elevated":{"enabled":true}` → Restrict elevated access or document security implications	`config.example.json:64`
Low	Docker pulls from third-party registry start-funasr.sh pulls Docker image from Aliyun registry (registry.cn-hangzhou.aliyuncs.com) `registry.cn-hangzhou.aliyuncs.com/funasr_repo/funasr:funasr-runtime-sdk-cpu-0.4.5` → Verify registry authenticity before use	`start-funasr.sh:25`
Low	Node.js execSync usage for status checks JavaScript files use child_process.execSync for environment detection and status checks. `execSync('docker --version', { stdio: 'pipe' });` → No action needed - legitimate tool inspection	`feishu-allallow.js:61`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	feishu-allallow.js:12 uses execSync for command execution
Filesystem	`NONE`	`WRITE`	✗ Violation	config modifies ~/.openclaw/openclaw.json
Network	`NONE`	`WRITE`	✗ Violation	gateway.bind:lan exposes to LAN; Docker pulls remote images

1 Critical 12 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash

SKILL.md:842

🔗

Medium External URL 外部 URL

https://clawhub.com

CHANGELOG.md:101

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

FILES.md:139

🔗

Medium External URL 外部 URL

https://open.feishu.cn/

FILES.md:140

🔗

Medium External URL 外部 URL

http://127.0.0.1:18789

JSON_CONFIG_GUIDE.md:302

🔗

Medium External URL 外部 URL

https://api.kimi.com/coding/

JSON_CONFIG_GUIDE.md:328

🔗

Medium External URL 外部 URL

https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary

SKILL.md:589

🔗

Medium External URL 外部 URL

https://nodejs.org/en/download/

SKILL.md:971

🔗

Medium External URL 外部 URL

https://www.python.org/downloads/

SKILL.md:977

🔗

Medium External URL 外部 URL

https://f-droid.org/packages/com.termux/

SKILL.md:1012

🔗

Medium External URL 外部 URL

http://json-schema.org/draft-07/schema#

schema.json:2

🔗

Medium External URL 外部 URL

https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx

start-funasr.sh:27

File Tree

14 files · 112.9 KB · 4148 lines

Markdown 6f · 2296L JavaScript 3f · 1171L JSON 4f · 622L Shell 1f · 59L

├─ 📝 CHANGELOG.md Markdown 107L · 3.4 KB

├─ 📋 config.example.annotated.json JSON 188L · 4.8 KB

├─ 📋 config.example.json JSON 134L · 2.6 KB

├─ 📜 feishu-allallow.js JavaScript 498L · 13.3 KB

├─ 📜 feishu-prime.js JavaScript 513L · 13.8 KB

├─ 📝 FILES.md Markdown 142L · 4.2 KB

├─ 📝 JSON_CONFIG_GUIDE.md Markdown 550L · 11.7 KB

├─ 📋 package.json JSON 83L · 2.5 KB

├─ 📝 README.md Markdown 146L · 4.7 KB

├─ 📝 RELEASE.md Markdown 182L · 3.9 KB

├─ 📋 schema.json JSON 217L · 5.8 KB

├─ 📝 SKILL.md Markdown 1169L · 36.2 KB

├─ 🔧 start-funasr.sh Shell 59L · 1.7 KB

└─ 📜 swarm-control-feishu.js JavaScript 160L · 4.3 KB

Security Positives

✓ No actual malicious code execution in runtime - curl|bash only in documentation

✓ No credential harvesting or exfiltration code detected

✓ No reverse shell or C2 infrastructure

✓ No base64-encoded or obfuscated malicious payloads

✓ execSync usage limited to benign status/version checks

✓ Configuration files are template-based, not automatically applied

Scan Report

Attack Chain 3 steps

Findings 6 items

File Tree

Security Positives