Enterprise AI Assistant Bundle Security Report — Low Risk | ClawSafe

20 /100

Enterprise AI Assistant Bundle

Enterprise AI assistant with Feishu + OpenClaw integration for smart customer service, group chat, approval automation, and daily report generation

A legitimate enterprise Feishu bot bundle with minor documentation gaps: shell execution for pip installs and network access are not declared in SKILL.md, and dependencies lack version pinning, but no malicious behavior is present.

Skill NameEnterprise AI Assistant Bundle

Duration58.6s

Enginepi

✓

Safe to install

Add explicit permission declarations for shell:WRITE (pip install via os.system) and network:READ (api.openclaw.ai/v1) to SKILL.md. Pin lark and openclaw to specific versions to reduce supply-chain risk.

Findings 3 items

Severity	Finding	Location
Low	Shell execution not declared in SKILL.md Doc Mismatch deploy.py uses os.system() to run pip install commands, which requires shell:WRITE permission. SKILL.md mentions 'pip install openclaw lark' in usage instructions but does not formally declare the shell:WRITE permission. `os.system('pip install lark')` → Add shell:WRITE to declared permissions in SKILL.md if pip install via shell is part of the skill's capability contract.	`deploy.py:50`
Low	Unpinned dependencies lark and openclaw Supply Chain deploy.py installs lark and openclaw without version pins (e.g., 'pip install lark==1.0.0'). This allows dependency versions to change between executions, introducing supply-chain risk. `os.system('pip install lark')` → Pin both packages to specific versions: pip install lark==X.Y.Z openclaw==X.Y.Z	`deploy.py:50`
Info	Network access not formally declared Doc Mismatch SKILL.md references api.openclaw.ai and open.feishu.cn but does not declare network:READ permission. The skill makes outbound HTTPS requests to api.openclaw.ai/v1 which should be declared. `requests.post(f'{OPENCLAW_BASE_URL}/chat/completions', ...)` → Add network:READ to declared permissions in SKILL.md, listing api.openclaw.ai as a required endpoint.	`bot.py:43`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	deploy.py:50 - os.system('pip install lark'); deploy.py:57 - os.system('pip inst…
Network	`NONE`	`READ`	✗ Violation	bot.py:43 - requests.post to api.openclaw.ai/v1; SKILL.md shows external URLs bu…
Filesystem	`NONE`	`WRITE`	✓ Aligned	deploy.py creates config.json and skills/ directory — directly relevant to deplo…
Environment	`NONE`	`READ`	✓ Aligned	bot.py:21 reads OPENCLAW_API_KEY from os.getenv — documented in SKILL.md as a se…

4 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn

SKILL.md:30

🔗

Medium External URL 外部 URL

https://discord.gg/clawd

SKILL.md:55

🔗

Medium External URL 外部 URL

https://api.openclaw.ai/v1

deploy.py:41

📧

Info Email 邮箱地址

[email protected]

SKILL.md:54

File Tree

3 files · 7.6 KB · 255 lines

Python 2f · 190L Markdown 1f · 65L

├─ 🐍 bot.py Python 82L · 2.2 KB

├─ 🐍 deploy.py Python 108L · 3.8 KB

└─ 📝 SKILL.md Markdown 65L · 1.6 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`lark`	`*`	pip	No	Version not pinned — supply-chain risk
`openclaw`	`*`	pip	No	Version not pinned — third-party package without version constraint
`flask`	`*`	pip (implicit)	No	Used in bot.py but not explicitly listed; version not pinned
`requests`	`*`	pip (implicit)	No	Used in bot.py for HTTP calls; version not pinned

Security Positives

✓ No credential harvesting or environment variable iteration for theft

✓ No base64-encoded commands or obfuscated payloads

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No C2 communication or data exfiltration

✓ No reverse shell or arbitrary code execution beyond documented pip install

✓ API key is read from environment variable (OPENCLAW_API_KEY) and not hardcoded or exfiltrated

✓ No hidden instructions in HTML comments or other stealth behavior

✓ Code is readable and straightforward — no anti-analysis techniques

Scan Report

Findings 3 items

File Tree

Dependencies 4 items

Security Positives