bitable_to_feishu_webhook Security Report — Suspicious | ClawSafe

45 /100

bitable_to_feishu_webhook

从飞书多维表中按用户规则筛选记录，自动将格式化后的内容推送到指定的群机器人 Webhook

Skill has undeclared network exfiltration capability through user-controlled webhook_url that can send data to any external endpoint, and uses eval() with potential code execution vectors not declared in permissions.

Skill Namebitable_to_feishu_webhook

Duration38.4s

Enginepi

⚠

Use with caution

1) Declare all allowed webhook domains in SKILL.md permissions. 2) Consider whitelisting webhook destinations to feishu.cn domains only. 3) Remove or document scripts/push.py. 4) Consider replacing eval() with a safer expression parser.

Attack Chain 3 steps

⬡

Escalation Attacker provides malicious webhook_url pointing to controlled server

SKILL.md inputs:17

⬡

Escalation User configures skill with attacker-provided webhook

SKILL.md inputs:17

⬡

Escalation Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL

scripts/push_skill.py:175

Findings 4 items

Severity	Finding	Location
High	Data exfiltration via undeclared webhook URL The skill accepts a user-provided webhook_url parameter and sends formatted message data (including potentially sensitive fields from bitable records) to this URL. SKILL.md only declares network access to 'https://open.feishu.cn', but webhook_url can point to any external endpoint, enabling data exfiltration. `resp = get_session().post(webhook_url, headers={"Content-Type": "application/json"}, ...)` → Either whitelist webhook domains or explicitly declare the capability to send data to arbitrary URLs in SKILL.md permissions.	`scripts/push_skill.py:175`
Medium	eval() with potential code execution escape eval_rule() uses eval() with __builtins__={}. While this removes direct builtins, it may still allow dangerous operations through object construction (type(), __import__ via getattr on builtins, etc.). Not declared in SKILL.md. `return bool(eval(rule_expression, safe_globals, safe_locals))` → Replace eval() with a safer expression parser (e.g., ast.literal_eval with restricted grammar) or explicitly declare the capability.	`scripts/push_skill.py:103`
Low	Undocumented secondary script scripts/push.py exists with similar functionality to push_skill.py but is not referenced in SKILL.md entrypoint. `#!/usr/bin/env python3` → Remove or document scripts/push.py if it's intentionally a separate entry point.	`scripts/push.py:1`
Info	Credentials handling appears safe app_id and app_secret are used only for Feishu API authentication and are not exfiltrated. No access to ~/.ssh, ~/.aws, or .env files. `payload = {"app_id": app_id, "app_secret": app_secret}` → No action needed.	`scripts/push_skill.py:68`

Resource	Declared	Inferred	Status	Evidence
Network	`READ (https://open.feishu.cn only)`	`WRITE (arbitrary URL via webhook_url)`	✗ Violation	scripts/push_skill.py:175-183 - send_to_webhook() POSTs to user-provided webhook…
Filesystem	`NONE`	`NONE`	—	No file system operations found
Shell	`NONE`	`NONE`	—	No shell execution found
Environment	`NONE`	`READ (INPUT_* vars)`	✓ Aligned	Uses os.getenv() to read INPUT_* environment variables - expected but undocument…

4 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx）

SKILL.md:36

🔗

Medium External URL 外部 URL

https://open.feishu.cn

SKILL.md:66

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

push_skill.py:59

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/bitable/v1/apps/

push_skill.py:71

File Tree

6 files · 26.2 KB · 805 lines

Python 2f · 672L Markdown 2f · 125L JSON 1f · 5L Text 1f · 3L

├─ ▾ 📁 scripts

│ └─ 🐍 push.py Python 78L · 2.2 KB

├─ 📋 _meta.json JSON 5L · 136 B

├─ 🐍 push_skill.py Python 594L · 19.9 KB

├─ 📝 README.md Markdown 58L · 2.0 KB

├─ 📄 requirements.txt Text 3L · 34 B

└─ 📝 SKILL.md Markdown 67L · 2.0 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.25.0`	pip	No	Version pinned at lower bound only
`urllib3`	`>=1.26.0`	pip	No	Version pinned at lower bound only

Security Positives

✓ No shell execution (subprocess, os.system, etc.)

✓ No file system write operations

✓ No credential harvesting from sensitive paths

✓ No base64 decoding or obfuscated code execution

✓ No hidden HTML/JS payloads

✓ No clipboard access

✓ Credentials (app_id, app_secret) are used only for intended Feishu API auth and not exfiltrated

✓ HTTP requests are limited to defined Feishu API endpoints except for the user-controlled webhook_url

Scan Report

Attack Chain 3 steps

Findings 4 items

File Tree

Dependencies 2 items

Security Positives