安全决策报告
swarm-control-feishu
Skill documents dangerous curl|bash installation patterns and configures maximum-permissive OpenClaw settings that disable all security controls, enabling arbitrary shell execution and full filesystem/network access.
最直接的威胁证据
01
User reads SKILL.md and follows installation instructions 初始入口 · SKILL.md
02
Skill applies maximum-permissive configuration disabling all security controls 权限提升 · feishu-allallow.js
03
Agent can execute arbitrary shell commands, access entire filesystem, read all sessions 最终危害 · config.example.json
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
User reads SKILL.md and follows installation instructions
初始入口 · SKILL.md:842
02
Skill applies maximum-permissive configuration disabling all security controls
权限提升 · feishu-allallow.js:145
03
Agent can execute arbitrary shell commands, access entire filesystem, read all sessions
最终危害 · config.example.json:58
风险分是怎么被拉高的
Dangerous curl|bash documentation +20
SKILL.md:842 documents curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash pattern
Security controls disabled +15
sandbox:off, exec.security:full, exec.ask:off, fs.workspaceOnly:false disable all protective measures
Network exposure +10
Gateway bind=lan exposes OpenClaw to local network
最关键的证据
高危
Dangerous curl|bash pattern in documentation
SKILL.md line 842 documents remote script execution via curl|bash pattern for nvm installation. This pattern is a well-known attack vector.
SKILL.md:842 Use safer installation methods or document security implications prominently
高危
All security controls intentionally disabled
The skill applies configurations that disable sandbox, set exec.security to 'full', exec.ask to 'off', and workspaceOnly to false, eliminating all protective measures.
config.example.json:58 Document security implications clearly; consider safer defaults
中危
Gateway bound to LAN
Gateway bind=lan exposes OpenClaw to local network instead of localhost, increasing attack surface.
config.example.json:70 Use bind:loopback for single-user scenarios
中危
Elevated privileges enabled without restrictions
elevated.enabled:true allows privileged operations from Feishu with minimal controls.
config.example.json:64 Restrict elevated access or document security implications
低危
Docker pulls from third-party registry
start-funasr.sh pulls Docker image from Aliyun registry (registry.cn-hangzhou.aliyuncs.com)
start-funasr.sh:25 Verify registry authenticity before use
低危
Node.js execSync usage for status checks
JavaScript files use child_process.execSync for environment detection and status checks.
feishu-allallow.js:61 No action needed - legitimate tool inspection
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
feishu-allallow.js:12 uses execSync for command execution 文件系统 阻止
声明 NONE
→ 推断 WRITE
config modifies ~/.openclaw/openclaw.json 网络访问 阻止
声明 NONE
→ 推断 WRITE
gateway.bind:lan exposes to LAN; Docker pulls remote images 可疑产物与外联
严重 危险命令
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash SKILL.md:842
中危 外部 URL
https://clawhub.com CHANGELOG.md:101
中危 外部 URL
https://docs.openclaw.ai FILES.md:139
中危 外部 URL
https://open.feishu.cn/ FILES.md:140
中危 外部 URL
http://127.0.0.1:18789 JSON_CONFIG_GUIDE.md:302
中危 外部 URL
https://api.kimi.com/coding/ JSON_CONFIG_GUIDE.md:328
中危 外部 URL
https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary SKILL.md:589
中危 外部 URL
https://nodejs.org/en/download/ SKILL.md:971
中危 外部 URL
https://www.python.org/downloads/ SKILL.md:977
中危 外部 URL
https://f-droid.org/packages/com.termux/ SKILL.md:1012
中危 外部 URL
http://json-schema.org/draft-07/schema# schema.json:2
中危 外部 URL
https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx start-funasr.sh:27
依赖与供应链
没有结构化依赖告警。
文件构成
14 个文件 · 4148 行
Markdown 6 个文件 · 2296 行JavaScript 3 个文件 · 1171 行JSON 4 个文件 · 622 行Shell 1 个文件 · 59 行
需关注文件 · 7
SKILL.md Dangerous curl|bash pattern in documentation · curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash · https://www.modelscope.cn/models/manyeyes/sensevoice-small-int8-onnx/summary · https://nodejs.org/en/download/ · https://www.python.org/downloads/ · https://f-droid.org/packages/com.termux/
feishu-allallow.js Node.js execSync usage for status checks
JSON_CONFIG_GUIDE.md http://127.0.0.1:18789 · https://api.kimi.com/coding/
schema.json http://json-schema.org/draft-07/schema#
FILES.md https://docs.openclaw.ai · https://open.feishu.cn/
CHANGELOG.md https://clawhub.com
config.example.json All security controls intentionally disabled · Gateway bound to LAN · Elevated privileges enabled without restrictions
其他文件 · feishu-prime.js · config.example.annotated.json · README.md · swarm-control-feishu.js · RELEASE.md
安全亮点
No actual malicious code execution in runtime - curl|bash only in documentation
No credential harvesting or exfiltration code detected
No reverse shell or C2 infrastructure
No base64-encoded or obfuscated malicious payloads
execSync usage limited to benign status/version checks
Configuration files are template-based, not automatically applied