中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:2 天前 重新扫描
45 /100
bitable_to_feishu_webhook
从飞书多维表中按用户规则筛选记录,自动将格式化后的内容推送到指定的群机器人 Webhook
Skill has undeclared network exfiltration capability through user-controlled webhook_url that can send data to any external endpoint, and uses eval() with potential code execution vectors not declared in permissions.
技能名称bitable_to_feishu_webhook
分析耗时38.4s
引擎pi
谨慎使用
1) Declare all allowed webhook domains in SKILL.md permissions. 2) Consider whitelisting webhook destinations to feishu.cn domains only. 3) Remove or document scripts/push.py. 4) Consider replacing eval() with a safer expression parser.

攻击链 3 步

提权 Attacker provides malicious webhook_url pointing to controlled server
SKILL.md inputs:17
提权 User configures skill with attacker-provided webhook
SKILL.md inputs:17
提权 Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL
scripts/push_skill.py:175

安全发现 4 项

严重性 安全发现 位置
高危
Data exfiltration via undeclared webhook URL
The skill accepts a user-provided webhook_url parameter and sends formatted message data (including potentially sensitive fields from bitable records) to this URL. SKILL.md only declares network access to 'https://open.feishu.cn', but webhook_url can point to any external endpoint, enabling data exfiltration.
resp = get_session().post(webhook_url, headers={"Content-Type": "application/json"}, ...)
→ Either whitelist webhook domains or explicitly declare the capability to send data to arbitrary URLs in SKILL.md permissions.
 scripts/push_skill.py:175
中危
eval() with potential code execution escape
eval_rule() uses eval() with __builtins__={}. While this removes direct builtins, it may still allow dangerous operations through object construction (type(), __import__ via getattr on builtins, etc.). Not declared in SKILL.md.
return bool(eval(rule_expression, safe_globals, safe_locals))
→ Replace eval() with a safer expression parser (e.g., ast.literal_eval with restricted grammar) or explicitly declare the capability.
 scripts/push_skill.py:103
低危
Undocumented secondary script
scripts/push.py exists with similar functionality to push_skill.py but is not referenced in SKILL.md entrypoint.
#!/usr/bin/env python3
→ Remove or document scripts/push.py if it's intentionally a separate entry point.
 scripts/push.py:1
提示
Credentials handling appears safe
app_id and app_secret are used only for Feishu API authentication and are not exfiltrated. No access to ~/.ssh, ~/.aws, or .env files.
payload = {"app_id": app_id, "app_secret": app_secret}
→ No action needed.
 scripts/push_skill.py:68
资源类型声明权限推断权限状态证据
网络访问 READ (https://open.feishu.cn only) WRITE (arbitrary URL via webhook_url) ✗ 越权 scripts/push_skill.py:175-183 - send_to_webhook() POSTs to user-provided webhook…
文件系统 NONE NONE No file system operations found
命令执行 NONE NONE No shell execution found
环境变量 NONE READ (INPUT_* vars) ✓ 一致 Uses os.getenv() to read INPUT_* environment variables - expected but undocument…
4 项发现
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/bot/v2/hook/xxx)
SKILL.md:36
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn
SKILL.md:66
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
push_skill.py:59
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/bitable/v1/apps/
push_skill.py:71

目录结构

6 文件 · 26.2 KB · 805 行
Python 2f · 672L Markdown 2f · 125L JSON 1f · 5L Text 1f · 3L
├─ 📁 scripts
│ └─ 🐍 push.py Python 78L · 2.2 KB
├─ 📋 _meta.json JSON 5L · 136 B
├─ 🐍 push_skill.py Python 594L · 19.9 KB
├─ 📝 README.md Markdown 58L · 2.0 KB
├─ 📄 requirements.txt Text 3L · 34 B
└─ 📝 SKILL.md Markdown 67L · 2.0 KB

依赖分析 2 项

包名版本来源已知漏洞备注
requests >=2.25.0 pip Version pinned at lower bound only
urllib3 >=1.26.0 pip Version pinned at lower bound only

安全亮点

✓ No shell execution (subprocess, os.system, etc.)
✓ No file system write operations
✓ No credential harvesting from sensitive paths
✓ No base64 decoding or obfuscated code execution
✓ No hidden HTML/JS payloads
✓ No clipboard access
✓ Credentials (app_id, app_secret) are used only for intended Feishu API auth and not exfiltrated
✓ HTTP requests are limited to defined Feishu API endpoints except for the user-controlled webhook_url