Skill Trust Decision

bitable_to_feishu_webhook

Name: bitable_to_feishu_webhook Trust Review Report
Item: bitable_to_feishu_webhook
Rating: 55
Author: ClawSafe

Skill has undeclared network exfiltration capability through user-controlled webhook_url that can send data to any external endpoint, and uses eval() with potential code execution vectors not declared in permissions.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 6

Artifacts 4

Violations 1

Findings 4

Most direct threat evidence

Attacker provides malicious webhook_url pointing to controlled server reconnaissance · SKILL.md inputs

User configures skill with attacker-provided webhook delivery · SKILL.md inputs

Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL Exfiltration · scripts/push_skill.py

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

4 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 1 severe findings.

Review

Dependencies and supply chain hygiene

2 dependency or supply-chain issues need attention.

Attack Chain

Attacker provides malicious webhook_url pointing to controlled server

reconnaissance · SKILL.md inputs:17

User configures skill with attacker-provided webhook

delivery · SKILL.md inputs:17

Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL

Exfiltration · scripts/push_skill.py:175

What drove the risk score up

Undeclared webhook exfiltration +25

webhook_url accepts any URL, enabling data exfiltration to arbitrary endpoints not declared in network permissions

eval() with restricted but not sandboxed globals +15

eval() with __builtins__:{} still allows object construction attacks (type, __import__, etc.) - not declared in permissions

Duplicate undocumented script +5

scripts/push.py exists but is not referenced in SKILL.md entrypoint

Most important evidence

High

Data exfiltration via undeclared webhook URL

The skill accepts a user-provided webhook_url parameter and sends formatted message data (including potentially sensitive fields from bitable records) to this URL. SKILL.md only declares network access to 'https://open.feishu.cn', but webhook_url can point to any external endpoint, enabling data exfiltration.

scripts/push_skill.py:175

Either whitelist webhook domains or explicitly declare the capability to send data to arbitrary URLs in SKILL.md permissions.

Medium

eval() with potential code execution escape

eval_rule() uses eval() with __builtins__={}. While this removes direct builtins, it may still allow dangerous operations through object construction (type(), __import__ via getattr on builtins, etc.). Not declared in SKILL.md.

scripts/push_skill.py:103

Replace eval() with a safer expression parser (e.g., ast.literal_eval with restricted grammar) or explicitly declare the capability.

Low

Undocumented secondary script

scripts/push.py exists with similar functionality to push_skill.py but is not referenced in SKILL.md entrypoint.

scripts/push.py:1

Remove or document scripts/push.py if it's intentionally a separate entry point.

Info

Credentials handling appears safe

app_id and app_secret are used only for Feishu API authentication and are not exfiltrated. No access to ~/.ssh, ~/.aws, or .env files.

scripts/push_skill.py:68

No action needed.

Declared capability vs actual capability

Network Block

Declared READ (https://open.feishu.cn only)

→

Inferred WRITE (arbitrary URL via webhook_url)

scripts/push_skill.py:175-183 - send_to_webhook() POSTs to user-provided webhook_url without domain restriction

Filesystem Pass

Declared NONE

→

Inferred NONE

No file system operations found

Shell Pass

Declared NONE

→

Inferred NONE

No shell execution found

Environment Pass

Declared NONE

→

Inferred READ (INPUT_* vars)

Uses os.getenv() to read INPUT_* environment variables - expected but undocumented

Suspicious artifacts and egress

Medium External URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx）

SKILL.md:36

Medium External URL

https://open.feishu.cn

SKILL.md:66

Medium External URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

push_skill.py:59

Medium External URL

https://open.feishu.cn/open-apis/bitable/v1/apps/

push_skill.py:71

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
requests	`>=2.25.0`	pip	No	Version pinned at lower bound only
urllib3	`>=1.26.0`	pip	No	Version pinned at lower bound only

File composition

6 files · 805 lines

Python 2 files · 672 linesMarkdown 2 files · 125 linesJSON 1 files · 5 linesText 1 files · 3 lines

Files of concern · 3

push_skill.py Python · 594 lines

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal · https://open.feishu.cn/open-apis/bitable/v1/apps/

scripts/push.py Python · 78 lines

Undocumented secondary script

SKILL.md Markdown · 67 lines

https://open.feishu.cn/open-apis/bot/v2/hook/xxx） · https://open.feishu.cn

Other files · README.md · _meta.json · requirements.txt

Security positives

No shell execution (subprocess, os.system, etc.)

No file system write operations

No credential harvesting from sensitive paths

No base64 decoding or obfuscated code execution

No hidden HTML/JS payloads

No clipboard access

Credentials (app_id, app_secret) are used only for intended Feishu API auth and not exfiltrated

HTTP requests are limited to defined Feishu API endpoints except for the user-controlled webhook_url