安全决策报告
bitable_to_feishu_webhook
Skill has undeclared network exfiltration capability through user-controlled webhook_url that can send data to any external endpoint, and uses eval() with potential code execution vectors not declared in permissions.
最直接的威胁证据
01
Attacker provides malicious webhook_url pointing to controlled server reconnaissance · SKILL.md inputs
02
User configures skill with attacker-provided webhook delivery · SKILL.md inputs
03
Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL 数据外泄 · scripts/push_skill.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
Attacker provides malicious webhook_url pointing to controlled server
reconnaissance · SKILL.md inputs:17
02
User configures skill with attacker-provided webhook
delivery · SKILL.md inputs:17
03
Skill POSTs bitable record data (including sensitive fields) to attacker-controlled URL
数据外泄 · scripts/push_skill.py:175
风险分是怎么被拉高的
Undeclared webhook exfiltration +25
webhook_url accepts any URL, enabling data exfiltration to arbitrary endpoints not declared in network permissions
eval() with restricted but not sandboxed globals +15
eval() with __builtins__:{} still allows object construction attacks (type, __import__, etc.) - not declared in permissions
Duplicate undocumented script +5
scripts/push.py exists but is not referenced in SKILL.md entrypoint
最关键的证据
高危
Data exfiltration via undeclared webhook URL
The skill accepts a user-provided webhook_url parameter and sends formatted message data (including potentially sensitive fields from bitable records) to this URL. SKILL.md only declares network access to 'https://open.feishu.cn', but webhook_url can point to any external endpoint, enabling data exfiltration.
scripts/push_skill.py:175 Either whitelist webhook domains or explicitly declare the capability to send data to arbitrary URLs in SKILL.md permissions.
中危
eval() with potential code execution escape
eval_rule() uses eval() with __builtins__={}. While this removes direct builtins, it may still allow dangerous operations through object construction (type(), __import__ via getattr on builtins, etc.). Not declared in SKILL.md.
scripts/push_skill.py:103 Replace eval() with a safer expression parser (e.g., ast.literal_eval with restricted grammar) or explicitly declare the capability.
低危
Undocumented secondary script
scripts/push.py exists with similar functionality to push_skill.py but is not referenced in SKILL.md entrypoint.
scripts/push.py:1 Remove or document scripts/push.py if it's intentionally a separate entry point.
提示
Credentials handling appears safe
app_id and app_secret are used only for Feishu API authentication and are not exfiltrated. No access to ~/.ssh, ~/.aws, or .env files.
scripts/push_skill.py:68 No action needed.
声明能力 vs 实际能力
网络访问 阻止
声明 READ (https://open.feishu.cn only)
→ 推断 WRITE (arbitrary URL via webhook_url)
scripts/push_skill.py:175-183 - send_to_webhook() POSTs to user-provided webhook_url without domain restriction 文件系统 通过
声明 NONE
→ 推断 NONE
No file system operations found 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution found 环境变量 通过
声明 NONE
→ 推断 READ (INPUT_* vars)
Uses os.getenv() to read INPUT_* environment variables - expected but undocumented 可疑产物与外联
中危 外部 URL
https://open.feishu.cn/open-apis/bot/v2/hook/xxx) SKILL.md:36
中危 外部 URL
https://open.feishu.cn SKILL.md:66
中危 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal push_skill.py:59
中危 外部 URL
https://open.feishu.cn/open-apis/bitable/v1/apps/ push_skill.py:71
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | >=2.25.0 | pip | 否 | Version pinned at lower bound only |
| urllib3 | >=1.26.0 | pip | 否 | Version pinned at lower bound only |
文件构成
6 个文件 · 805 行
Python 2 个文件 · 672 行Markdown 2 个文件 · 125 行JSON 1 个文件 · 5 行Text 1 个文件 · 3 行
需关注文件 · 3
push_skill.py https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal · https://open.feishu.cn/open-apis/bitable/v1/apps/
scripts/push.py Undocumented secondary script
SKILL.md https://open.feishu.cn/open-apis/bot/v2/hook/xxx) · https://open.feishu.cn
其他文件 · README.md · _meta.json · requirements.txt
安全亮点
No shell execution (subprocess, os.system, etc.)
No file system write operations
No credential harvesting from sensitive paths
No base64 decoding or obfuscated code execution
No hidden HTML/JS payloads
No clipboard access
Credentials (app_id, app_secret) are used only for intended Feishu API auth and not exfiltrated
HTTP requests are limited to defined Feishu API endpoints except for the user-controlled webhook_url