安全决策报告
feishu-evolver-wrapper
Feishu evolver wrapper with significant undocumented shell execution, dynamic code evaluation, process control, and persistence mechanisms that lack clear security justification in documentation.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 5 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Dynamic code evaluation via new Function() +15
Uses eval pattern on LLM-generated JSON that may contain untrusted content (index.js:1230)
Extensive undocumented shell execution +15
execSync/spawn used for git, openclaw CLI, and node -c commands across multiple files without declaration in SKILL.md
Undeclared process control +10
Manages PIDs, kills processes, creates cron jobs without documentation
Undeclared persistence +10
Bash daemon, PID files, and cron job registration via openclaw CLI
Task injection mechanism +8
Reads hints from INJECTION_FILE and appends to task content (potential prompt injection vector)
Large codebase (1706+ lines) +5
Complex index.js with significant attack surface
最关键的证据
中危 代码混淆
Dynamic code evaluation on untrusted input
Uses new Function() constructor to parse JSON with unquoted keys extracted from LLM output. While input is from internal spawn output, it represents eval-like behavior that could be exploited if spawn output is manipulated.
index.js:1230 Replace new Function() with a safer JSON5 parser or validate keys before parsing
中危 权限提升
Undeclared shell execution for git operations
execSync spawns git add/commit/push/pull and git log commands. These are core to functionality but not declared in SKILL.md.
index.js:400 Document shell:WRITE permission requirement in SKILL.md
中危 权限提升
Undeclared openclaw CLI execution
lifecycle.js executes openclaw cron commands (list, add, edit) via execSync to manage watchdog cron jobs.
lifecycle.js:150 Document cron job management capability in SKILL.md
中危 文档欺骗
Missing declaration of process control
Code manages PIDs, kills stale processes, creates daemon processes, and performs process health checks. None of this is documented.
lifecycle.js:200 Document process management capabilities and security implications
低危 提示注入
Thought injection via external file
getInjectionHint() reads from evolver_hint.txt and appends content to task prompts. While useful for control, it creates a prompt injection vector if the file can be modified by attackers.
index.js:450 Consider signed/validated hints or restrict file access permissions
低危 敏感访问
Session lock file deletion
Deletes stale session lock files from ~/.openclaw/agents/main/sessions/ older than 5 minutes.
index.js:500 Verify this is intentionally removing stale locks and not interfering with active sessions
低危 供应链
Version not pinned in dependencies
package.json has evolver as file:../evolver which is a local path dependency without version constraints.
package.json:8 Consider pinning to specific version or git hash
低危 敏感访问
Skills monitor can execute arbitrary node code
skills_monitor.js runs `node -e "require('...')`" on skills to check if dependencies are missing. While documented as 'only for validation', it has potential for abuse.
skills_monitor.js:50 Restrict to known-safe skill paths if possible
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
index.js:execSync lines, lifecycle.js:execSync for git/CLI, self-repair.js, skills_monitor.js 网络访问 阻止
声明 NONE
→ 推断 WRITE
feishu-helper.js:90 - POSTs to open.feishu.cn API 文件系统 阻止
声明 NONE
→ 推断 WRITE
Writes to memory/, logs/, workspace/ directories with atomic tmp+rename patterns 环境变量 阻止
声明 NONE
→ 推断 READ
Reads EVOLVE_*, FEISHU_*, OPENCLAW_* vars, sets them for child processes 浏览器 通过
声明 NONE
→ 推断 NONE
N/A 数据库 通过
声明 NONE
→ 推断 NONE
N/A 剪贴板 通过
声明 NONE
→ 推断 NONE
N/A 技能调用 阻止
声明 NONE
→ 推断 WRITE
Spawns openclaw agent sessions and manages evolver lifecycle 可疑产物与外联
中危 外部 URL
https://open.feishu.cn/open-apis/docx/v1/documents/$ export_history.js:76
中危 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type= feishu-helper.js:90
中危 外部 URL
https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$ report.js:260
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| evolver | file:../evolver | local | 否 | Local path dependency, not version pinned |
| fetchWithAuth | N/A | ../feishu-common | 否 | Local shared module |
文件构成
24 个文件 · 4554 行
JavaScript 19 个文件 · 4452 行Shell 1 个文件 · 47 行Markdown 2 个文件 · 41 行JSON 2 个文件 · 14 行
需关注文件 · 6
index.js Dynamic code evaluation on untrusted input · Undeclared shell execution for git operations · Thought injection via external file · Session lock file deletion
lifecycle.js Undeclared openclaw CLI execution · Missing declaration of process control
report.js https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$
skills_monitor.js Skills monitor can execute arbitrary node code
export_history.js https://open.feishu.cn/open-apis/docx/v1/documents/$
feishu-helper.js https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=
其他文件 · visualize_dashboard.js · issue_tracker.js · weekly_insight.js · dashboard-generator.js · check_health.js · self-repair.js
安全亮点
Secret scanning mechanism exists in feishu-helper.js with SECRET_PATTERNS to prevent credential exfiltration
Atomic file operations used (tmp+rename pattern) for PID files and cycle counters
Circuit breaker pattern for failure handling prevents resource exhaustion
Singleton guard prevents duplicate wrapper instances
Kill switch mechanism for emergency stop
Failure lessons logging to prevent repeated mistakes
Process existence verification before killing PIDs (isWrapperProcess check)
Debounce mechanisms on cron checks and ensure operations