Skill Trust Decision

feishu-evolver-wrapper

Name: feishu-evolver-wrapper Trust Review Report
Item: feishu-evolver-wrapper
Rating: 55
Author: ClawSafe

Feishu evolver wrapper with significant undocumented shell execution, dynamic code evaluation, process control, and persistence mechanisms that lack clear security justification in documentation.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 24

Artifacts 3

Violations 5

Findings 8

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

5 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

3 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

Dynamic code evaluation via new Function() +15

Uses eval pattern on LLM-generated JSON that may contain untrusted content (index.js:1230)

Extensive undocumented shell execution +15

execSync/spawn used for git, openclaw CLI, and node -c commands across multiple files without declaration in SKILL.md

Undeclared process control +10

Manages PIDs, kills processes, creates cron jobs without documentation

Undeclared persistence +10

Bash daemon, PID files, and cron job registration via openclaw CLI

Task injection mechanism +8

Reads hints from INJECTION_FILE and appends to task content (potential prompt injection vector)

Large codebase (1706+ lines) +5

Complex index.js with significant attack surface

Most important evidence

Medium Obfuscation

Dynamic code evaluation on untrusted input

Uses new Function() constructor to parse JSON with unquoted keys extracted from LLM output. While input is from internal spawn output, it represents eval-like behavior that could be exploited if spawn output is manipulated.

index.js:1230

Replace new Function() with a safer JSON5 parser or validate keys before parsing

Medium Priv Escalation

Undeclared shell execution for git operations

execSync spawns git add/commit/push/pull and git log commands. These are core to functionality but not declared in SKILL.md.

index.js:400

Document shell:WRITE permission requirement in SKILL.md

Medium Priv Escalation

Undeclared openclaw CLI execution

lifecycle.js executes openclaw cron commands (list, add, edit) via execSync to manage watchdog cron jobs.

lifecycle.js:150

Document cron job management capability in SKILL.md

Medium Doc Mismatch

Missing declaration of process control

Code manages PIDs, kills stale processes, creates daemon processes, and performs process health checks. None of this is documented.

lifecycle.js:200

Document process management capabilities and security implications

Low Prompt Injection

Thought injection via external file

getInjectionHint() reads from evolver_hint.txt and appends content to task prompts. While useful for control, it creates a prompt injection vector if the file can be modified by attackers.

index.js:450

Consider signed/validated hints or restrict file access permissions

Low Sensitive Access

Session lock file deletion

Deletes stale session lock files from ~/.openclaw/agents/main/sessions/ older than 5 minutes.

index.js:500

Verify this is intentionally removing stale locks and not interfering with active sessions

Low Supply Chain

Version not pinned in dependencies

package.json has evolver as file:../evolver which is a local path dependency without version constraints.

package.json:8

Consider pinning to specific version or git hash

Low Sensitive Access

Skills monitor can execute arbitrary node code

skills_monitor.js runs `node -e "require('...')`" on skills to check if dependencies are missing. While documented as 'only for validation', it has potential for abuse.

skills_monitor.js:50

Restrict to known-safe skill paths if possible

Declared capability vs actual capability

Shell Block

Declared NONE

→

Inferred WRITE

index.js:execSync lines, lifecycle.js:execSync for git/CLI, self-repair.js, skills_monitor.js

Network Block

Declared NONE

→

Inferred WRITE

feishu-helper.js:90 - POSTs to open.feishu.cn API

Filesystem Block

Declared NONE

→

Inferred WRITE

Writes to memory/, logs/, workspace/ directories with atomic tmp+rename patterns

Environment Block

Declared NONE

→

Inferred READ

Reads EVOLVE_*, FEISHU_*, OPENCLAW_* vars, sets them for child processes

Browser Pass

Declared NONE

→

Inferred NONE

N/A

Database Pass

Declared NONE

→

Inferred NONE

N/A

Clipboard Pass

Declared NONE

→

Inferred NONE

N/A

Skill Invoke Block

Declared NONE

→

Inferred WRITE

Spawns openclaw agent sessions and manages evolver lifecycle

Suspicious artifacts and egress

Medium External URL

https://open.feishu.cn/open-apis/docx/v1/documents/$

export_history.js:76

Medium External URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=

feishu-helper.js:90

Medium External URL

https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$

report.js:260

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
evolver	`file:../evolver`	local	No	Local path dependency, not version pinned
fetchWithAuth	`N/A`	../feishu-common	No	Local shared module

File composition

24 files · 4554 lines

JavaScript 19 files · 4452 linesShell 1 files · 47 linesMarkdown 2 files · 41 linesJSON 2 files · 14 lines

Files of concern · 6

index.js JavaScript · 1706 lines

Dynamic code evaluation on untrusted input · Undeclared shell execution for git operations · Thought injection via external file · Session lock file deletion

lifecycle.js JavaScript · 837 lines

Undeclared openclaw CLI execution · Missing declaration of process control

report.js JavaScript · 578 lines

https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$

skills_monitor.js JavaScript · 170 lines

Skills monitor can execute arbitrary node code

export_history.js JavaScript · 99 lines

https://open.feishu.cn/open-apis/docx/v1/documents/$

feishu-helper.js JavaScript · 105 lines

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=

Other files · visualize_dashboard.js · issue_tracker.js · weekly_insight.js · dashboard-generator.js · check_health.js · self-repair.js

24 files · 190.7 KB · 4554 lines

JavaScript 19f · 4452LShell 1f · 47LMarkdown 2f · 41LJSON 2f · 14L

├─ ▾ 📁 utils

│ ├─ 📜 dashboard-generator.js JavaScript 127L · 4.0 KB

│ ├─ 📜 logger.js JavaScript 33L · 926 B

│ └─ 📜 sleep.js JavaScript 15L · 402 B

├─ 📝 README.md Markdown 10L · 287 B

├─ 📝 SKILL.md Markdown 31L · 1.3 KB

├─ 📋 _meta.json JSON 5L · 141 B

├─ 📜 check_health.js JavaScript 77L · 2.4 KB

├─ 📜 cleanup.js JavaScript 51L · 1.6 KB

├─ 📜 commentary.js JavaScript 37L · 1.6 KB

├─ 🔧 daemon.sh Shell 47L · 1.5 KB

├─ 📜 exec_cache.js JavaScript 25L · 803 B

├─ 📜 export_history.js JavaScript 99L · 3.4 KB

├─ 📜 feishu-helper.js JavaScript 105L · 3.0 KB

├─ 📜 index.js JavaScript 1706L · 86.2 KB

├─ 📜 issue_tracker.js JavaScript 163L · 5.2 KB

├─ 📜 lifecycle.js JavaScript 837L · 33.7 KB

├─ 📋 package.json JSON 9L · 208 B

├─ 📜 report.js JavaScript 578L · 23.0 KB

├─ 📜 self-repair.js JavaScript 59L · 1.9 KB

├─ 📜 send-card-cli.js JavaScript 31L · 1.0 KB

├─ 📜 skills_monitor.js JavaScript 170L · 5.9 KB

├─ 📜 trigger.js JavaScript 12L · 410 B

├─ 📜 visualize_dashboard.js JavaScript 192L · 7.2 KB

└─ 📜 weekly_insight.js JavaScript 135L · 4.7 KB

Security positives

Secret scanning mechanism exists in feishu-helper.js with SECRET_PATTERNS to prevent credential exfiltration

Atomic file operations used (tmp+rename pattern) for PID files and cycle counters

Circuit breaker pattern for failure handling prevents resource exhaustion

Singleton guard prevents duplicate wrapper instances

Kill switch mechanism for emergency stop

Failure lessons logging to prevent repeated mistakes

Process existence verification before killing PIDs (isWrapperProcess check)

Debounce mechanisms on cron checks and ensure operations