中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
feishu-doc-collab
Enable real-time AI collaboration in Feishu (Lark) documents — turns any Feishu doc into a live human-AI conversation space with structured in-doc chat protocol and optional Bitable task board integration.
A legitimate Feishu document collaboration skill for OpenClaw. The shell script patching, character-code Python obfuscation, and system file modification are unusual but serve clear, documented purposes with no data exfiltration or credential theft.
Skill Namefeishu-doc-collab
Duration57.9s
Enginepi
Safe to install
Approve for use. No undeclared sensitive behavior found. The shell script's Python one-liner obfuscation (character codes) and system file patching are documented. Consider clarifying shell:WRITE in SKILL.md's capability declaration for transparency.

Findings 5 items

Severity Finding Location
Low
shell:WRITE not declared in allowed-tools section Doc Mismatch
SKILL.md does not list shell execution in its allowed-tools section, yet patch-monitor.sh requires Bash (set -e, cp, grep, python3). The documentation describes 'bash ./scripts/patch-monitor.sh' as a setup step but never maps this to a declared resource level.
allowed-tools mapping: Bash→shell:WRITE, Read→filesystem:READ
→ Add shell:WRITE to the skill's declared capabilities or restructure the patch script as a setup-time-only step that is clearly scoped as a prerequisite.
 SKILL.md:1
Low
Python config extraction uses character-code string obfuscation Obfuscation
patch-monitor.sh line 47 uses chr() character-code encoding to construct JSON field names ($CONFIG, agent_name) inside a python3 -c call. This is visually suspicious but functionally equivalent to a plain jq or python3 -r json.load() call.
python3 -c "import json; print(json.load(open(chr(39)+str('''$CONFIG''')[:0]+'''$CONFIG'''+chr(39)))[chr(39)+'agent_name'+chr(39)])"
→ Replace with a readable equivalent: python3 -c "import json,sys; print(json.load(open('$CONFIG'))['agent_name'])" — or use jq for clarity.
 scripts/patch-monitor.sh:47
Low
Hardcoded agent name 'MyBot' in patched monitor.js Doc Mismatch
The embedded instructions in _handleDriveEditEvent hardcode 'MyBot' as the bot identity check (sender is yourself → skip, receiver not 'MyBot' → skip). This should be read dynamically from config.json at patch time, not hardcoded.
- If sender is yourself (MyBot) → do NOTHING, reply NO_REPLY
   - If receiver is not your name (MyBot) and not "all" → do NOTHING
→ Use a placeholder (e.g., {{AGENT_NAME}}) in the reference file and substitute it at patch time using sed, matching the pattern used in the existing backup mechanism.
 references/monitor-full-patched.js:86
Info
System file modification without version control Priv Escalation
The patch script directly overwrites OpenClaw's monitor.js/ts in the node_modules or ~/.openclaw/extensions directory. While backup is created, the patch is not tracked by a package manager and must be re-applied after updates. This is documented but remains a fragile integration point.
cp "$REF" "$MONITOR"
→ Consider a more robust integration mechanism (e.g., OpenClaw plugin hook API) instead of direct file patching. Document the re-patch requirement prominently.
 scripts/patch-monitor.sh:54
Info
Reads ~/.openclaw/openclaw.json at runtime Sensitive Access
The patched monitor.js reads the hooks token and gateway port from ~/.openclaw/openclaw.json at runtime using synchronous fs.readFileSync. This is necessary for the integration but reads a config file containing sensitive credentials.
const cfgRaw = fs2.readFileSync(`${process.env.HOME || "/root"}/.openclaw/openclaw.json`, "utf-8");
→ Document this runtime access clearly. The token is used only for local 127.0.0.1 POST authentication, which is acceptable. Ensure openclaw.json permissions are restricted to the openclaw user.
 references/monitor-full-patched.js:75
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned patch-monitor.sh:42 — cp references/monitor-full-patched.js to monitor.js
Network READ READ ✓ Aligned references/feishu-app-setup.md references open.feishu.cn URLs (documentation)
Shell NONE WRITE ✗ Violation patch-monitor.sh:1 — set -e; cp; grep; python3; uses Bash extensively, not decla…
Environment NONE READ ✗ Violation monitor-full-patched.js:75 — reads process.env.HOME for path construction; envir…
Skill Invoke NONE NONE No skill_invoke usage observed
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser access
Database NONE NONE No direct database access
2 findings
🔗
Medium External URL 外部 URL
https://open.feishu.cn/app
references/feishu-app-setup.md:16
🔗
Medium External URL 外部 URL
http://127.0.0.1:
references/manual-patch.md:19

File Tree

8 files · 29.7 KB · 797 lines
Markdown 5f · 528L JavaScript 1f · 193L Shell 1f · 68L JSON 1f · 8L
├─ 📁 assets
│ └─ 📝 DOC_PROTOCOL_TEMPLATE.md Markdown 59L · 1.4 KB
├─ 📁 references
│ ├─ 📝 bitable-task-protocol.md Markdown 53L · 2.0 KB
│ ├─ 📝 feishu-app-setup.md Markdown 74L · 2.4 KB
│ ├─ 📝 manual-patch.md Markdown 71L · 3.4 KB
│ └─ 📜 monitor-full-patched.js JavaScript 193L · 9.2 KB
├─ 📁 scripts
│ └─ 🔧 patch-monitor.sh Shell 68L · 2.1 KB
├─ 🔑 config.json JSON 8L · 131 B
└─ 📝 SKILL.md Markdown 271L · 9.2 KB

Security Positives

✓ No base64-encoded payloads, eval(), or atob() usage found in any script or JS file
✓ No remote script download (curl|bash, wget|sh) — reference file is bundled locally
✓ No credential exfiltration — hooks token read stays local, used only for localhost authentication
✓ Backup (.bak) is created before patching system files
✓ Idempotent patch — script checks for existing patch markers before modifying files
✓ No ~/.ssh, ~/.aws, .env, or other sensitive credential paths accessed
✓ No network calls to external IPs — all POSTs go to 127.0.0.1 only
✓ Patch mechanism is fully documented in SKILL.md and references/
✓ Anti-loop logic (bot self-edit check) prevents infinite loops
✓ 30-second debounce prevents event storms and token waste