feishu-evolver-wrapper Security Report — Suspicious | ClawSafe

45 /100

feishu-evolver-wrapper

Feishu-integrated wrapper for capability-evolver with lifecycle management and reporting

Feishu evolver wrapper with significant undocumented shell execution, dynamic code evaluation, process control, and persistence mechanisms that lack clear security justification in documentation.

Skill Namefeishu-evolver-wrapper

Duration67.0s

Enginepi

⚠

Use with caution

Review shell execution calls and evaluate if the scope can be reduced. The new Function() evaluation for untrusted JSON represents high-risk dynamic code execution. Ensure all network calls are explicitly documented.

Findings 8 items

Severity	Finding	Location
Medium	Dynamic code evaluation on untrusted input Obfuscation Uses new Function() constructor to parse JSON with unquoted keys extracted from LLM output. While input is from internal spawn output, it represents eval-like behavior that could be exploited if spawn output is manipulated. `const parsed = new Function('return (' + sanitized + ')')();` → Replace new Function() with a safer JSON5 parser or validate keys before parsing	`index.js:1230`
Medium	Undeclared shell execution for git operations Priv Escalation execSync spawns git add/commit/push/pull and git log commands. These are core to functionality but not declared in SKILL.md. `execSync('git diff --cached --name-only', { cwd: gitRoot, encoding: 'utf8' })` → Document shell:WRITE permission requirement in SKILL.md	`index.js:400`
Medium	Undeclared openclaw CLI execution Priv Escalation lifecycle.js executes openclaw cron commands (list, add, edit) via execSync to manage watchdog cron jobs. execSync(`${openclawCli} cron list --all --json`, ...) → Document cron job management capability in SKILL.md	`lifecycle.js:150`
Medium	Missing declaration of process control Doc Mismatch Code manages PIDs, kills stale processes, creates daemon processes, and performs process health checks. None of this is documented. `process.kill(pid, 'SIGTERM')` → Document process management capabilities and security implications	`lifecycle.js:200`
Low	Thought injection via external file Prompt Injection getInjectionHint() reads from evolver_hint.txt and appends content to task prompts. While useful for control, it creates a prompt injection vector if the file can be modified by attackers. `const hint = fs.readFileSync(INJECTION_FILE, 'utf8').trim()` → Consider signed/validated hints or restrict file access permissions	`index.js:450`
Low	Session lock file deletion Sensitive Access Deletes stale session lock files from ~/.openclaw/agents/main/sessions/ older than 5 minutes. `fs.unlinkSync(lp); // Removed stale session lock` → Verify this is intentionally removing stale locks and not interfering with active sessions	`index.js:500`
Low	Version not pinned in dependencies Supply Chain package.json has evolver as file:../evolver which is a local path dependency without version constraints. `"evolver": "file:../evolver"` → Consider pinning to specific version or git hash	`package.json:8`
Low	Skills monitor can execute arbitrary node code Sensitive Access skills_monitor.js runs `node -e "require('...')`" on skills to check if dependencies are missing. While documented as 'only for validation', it has potential for abuse. execSync(`node -e "require('${entryAbs.replace(/'/g, "\\'")}')`") → Restrict to known-safe skill paths if possible	`skills_monitor.js:50`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	index.js:execSync lines, lifecycle.js:execSync for git/CLI, self-repair.js, skil…
Network	`NONE`	`WRITE`	✗ Violation	feishu-helper.js:90 - POSTs to open.feishu.cn API
Filesystem	`NONE`	`WRITE`	✗ Violation	Writes to memory/, logs/, workspace/ directories with atomic tmp+rename patterns
Environment	`NONE`	`READ`	✗ Violation	Reads EVOLVE_, FEISHU_, OPENCLAW_* vars, sets them for child processes
Browser	`NONE`	`NONE`	—	N/A
Database	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Skill Invoke	`NONE`	`WRITE`	✗ Violation	Spawns openclaw agent sessions and manages evolver lifecycle

3 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents/$

export_history.js:76

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=

feishu-helper.js:90

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$

report.js:260

File Tree

24 files · 190.7 KB · 4554 lines

JavaScript 19f · 4452L Shell 1f · 47L Markdown 2f · 41L JSON 2f · 14L

├─ ▾ 📁 utils

│ ├─ 📜 dashboard-generator.js JavaScript 127L · 4.0 KB

│ ├─ 📜 logger.js JavaScript 33L · 926 B

│ └─ 📜 sleep.js JavaScript 15L · 402 B

├─ 📋 _meta.json JSON 5L · 141 B

├─ 📜 check_health.js JavaScript 77L · 2.4 KB

├─ 📜 cleanup.js JavaScript 51L · 1.6 KB

├─ 📜 commentary.js JavaScript 37L · 1.6 KB

├─ 🔧 daemon.sh Shell 47L · 1.5 KB

├─ 📜 exec_cache.js JavaScript 25L · 803 B

├─ 📜 export_history.js JavaScript 99L · 3.4 KB

├─ 📜 feishu-helper.js JavaScript 105L · 3.0 KB

├─ 📜 index.js JavaScript 1706L · 86.2 KB

├─ 📜 issue_tracker.js JavaScript 163L · 5.2 KB

├─ 📜 lifecycle.js JavaScript 837L · 33.7 KB

├─ 📋 package.json JSON 9L · 208 B

├─ 📝 README.md Markdown 10L · 287 B

├─ 📜 report.js JavaScript 578L · 23.0 KB

├─ 📜 self-repair.js JavaScript 59L · 1.9 KB

├─ 📜 send-card-cli.js JavaScript 31L · 1.0 KB

├─ 📝 SKILL.md Markdown 31L · 1.3 KB

├─ 📜 skills_monitor.js JavaScript 170L · 5.9 KB

├─ 📜 trigger.js JavaScript 12L · 410 B

├─ 📜 visualize_dashboard.js JavaScript 192L · 7.2 KB

└─ 📜 weekly_insight.js JavaScript 135L · 4.7 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`evolver`	`file:../evolver`	local	No	Local path dependency, not version pinned
`fetchWithAuth`	`N/A`	../feishu-common	No	Local shared module

Security Positives

✓ Secret scanning mechanism exists in feishu-helper.js with SECRET_PATTERNS to prevent credential exfiltration

✓ Atomic file operations used (tmp+rename pattern) for PID files and cycle counters

✓ Circuit breaker pattern for failure handling prevents resource exhaustion

✓ Singleton guard prevents duplicate wrapper instances

✓ Kill switch mechanism for emergency stop

✓ Failure lessons logging to prevent repeated mistakes

✓ Process existence verification before killing PIDs (isWrapperProcess check)

✓ Debounce mechanisms on cron checks and ensure operations

Scan Report

Findings 8 items

File Tree

Dependencies 2 items

Security Positives