feishu-evolver-wrapper 安全扫描报告 — 可疑 | ClawSafe

45 /100

feishu-evolver-wrapper

Feishu-integrated wrapper for capability-evolver with lifecycle management and reporting

Feishu evolver wrapper with significant undocumented shell execution, dynamic code evaluation, process control, and persistence mechanisms that lack clear security justification in documentation.

技能名称feishu-evolver-wrapper

分析耗时67.0s

引擎pi

⚠

谨慎使用

Review shell execution calls and evaluate if the scope can be reduced. The new Function() evaluation for untrusted JSON represents high-risk dynamic code execution. Ensure all network calls are explicitly documented.

安全发现 8 项

严重性	安全发现	位置
中危	Dynamic code evaluation on untrusted input 代码混淆 Uses new Function() constructor to parse JSON with unquoted keys extracted from LLM output. While input is from internal spawn output, it represents eval-like behavior that could be exploited if spawn output is manipulated. `const parsed = new Function('return (' + sanitized + ')')();` → Replace new Function() with a safer JSON5 parser or validate keys before parsing	`index.js:1230`
中危	Undeclared shell execution for git operations 权限提升 execSync spawns git add/commit/push/pull and git log commands. These are core to functionality but not declared in SKILL.md. `execSync('git diff --cached --name-only', { cwd: gitRoot, encoding: 'utf8' })` → Document shell:WRITE permission requirement in SKILL.md	`index.js:400`
中危	Undeclared openclaw CLI execution 权限提升 lifecycle.js executes openclaw cron commands (list, add, edit) via execSync to manage watchdog cron jobs. execSync(`${openclawCli} cron list --all --json`, ...) → Document cron job management capability in SKILL.md	`lifecycle.js:150`
中危	Missing declaration of process control 文档欺骗 Code manages PIDs, kills stale processes, creates daemon processes, and performs process health checks. None of this is documented. `process.kill(pid, 'SIGTERM')` → Document process management capabilities and security implications	`lifecycle.js:200`
低危	Thought injection via external file 提示注入 getInjectionHint() reads from evolver_hint.txt and appends content to task prompts. While useful for control, it creates a prompt injection vector if the file can be modified by attackers. `const hint = fs.readFileSync(INJECTION_FILE, 'utf8').trim()` → Consider signed/validated hints or restrict file access permissions	`index.js:450`
低危	Session lock file deletion 敏感访问 Deletes stale session lock files from ~/.openclaw/agents/main/sessions/ older than 5 minutes. `fs.unlinkSync(lp); // Removed stale session lock` → Verify this is intentionally removing stale locks and not interfering with active sessions	`index.js:500`
低危	Version not pinned in dependencies 供应链 package.json has evolver as file:../evolver which is a local path dependency without version constraints. `"evolver": "file:../evolver"` → Consider pinning to specific version or git hash	`package.json:8`
低危	Skills monitor can execute arbitrary node code 敏感访问 skills_monitor.js runs `node -e "require('...')`" on skills to check if dependencies are missing. While documented as 'only for validation', it has potential for abuse. execSync(`node -e "require('${entryAbs.replace(/'/g, "\\'")}')`") → Restrict to known-safe skill paths if possible	`skills_monitor.js:50`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	index.js:execSync lines, lifecycle.js:execSync for git/CLI, self-repair.js, skil…
网络访问	`NONE`	`WRITE`	✗ 越权	feishu-helper.js:90 - POSTs to open.feishu.cn API
文件系统	`NONE`	`WRITE`	✗ 越权	Writes to memory/, logs/, workspace/ directories with atomic tmp+rename patterns
环境变量	`NONE`	`READ`	✗ 越权	Reads EVOLVE_, FEISHU_, OPENCLAW_* vars, sets them for child processes
浏览器	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A
剪贴板	`NONE`	`NONE`	—	N/A
技能调用	`NONE`	`WRITE`	✗ 越权	Spawns openclaw agent sessions and manages evolver lifecycle

3 项发现

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents/$

export_history.js:76

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=

feishu-helper.js:90

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/chats?page_size=100$

report.js:260

目录结构

24 文件 · 190.7 KB · 4554 行

JavaScript 19f · 4452L Shell 1f · 47L Markdown 2f · 41L JSON 2f · 14L

├─ ▾ 📁 utils

│ ├─ 📜 dashboard-generator.js JavaScript 127L · 4.0 KB

│ ├─ 📜 logger.js JavaScript 33L · 926 B

│ └─ 📜 sleep.js JavaScript 15L · 402 B

├─ 📋 _meta.json JSON 5L · 141 B

├─ 📜 check_health.js JavaScript 77L · 2.4 KB

├─ 📜 cleanup.js JavaScript 51L · 1.6 KB

├─ 📜 commentary.js JavaScript 37L · 1.6 KB

├─ 🔧 daemon.sh Shell 47L · 1.5 KB

├─ 📜 exec_cache.js JavaScript 25L · 803 B

├─ 📜 export_history.js JavaScript 99L · 3.4 KB

├─ 📜 feishu-helper.js JavaScript 105L · 3.0 KB

├─ 📜 index.js JavaScript 1706L · 86.2 KB

├─ 📜 issue_tracker.js JavaScript 163L · 5.2 KB

├─ 📜 lifecycle.js JavaScript 837L · 33.7 KB

├─ 📋 package.json JSON 9L · 208 B

├─ 📝 README.md Markdown 10L · 287 B

├─ 📜 report.js JavaScript 578L · 23.0 KB

├─ 📜 self-repair.js JavaScript 59L · 1.9 KB

├─ 📜 send-card-cli.js JavaScript 31L · 1.0 KB

├─ 📝 SKILL.md Markdown 31L · 1.3 KB

├─ 📜 skills_monitor.js JavaScript 170L · 5.9 KB

├─ 📜 trigger.js JavaScript 12L · 410 B

├─ 📜 visualize_dashboard.js JavaScript 192L · 7.2 KB

└─ 📜 weekly_insight.js JavaScript 135L · 4.7 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`evolver`	`file:../evolver`	local	否	Local path dependency, not version pinned
`fetchWithAuth`	`N/A`	../feishu-common	否	Local shared module

安全亮点

✓ Secret scanning mechanism exists in feishu-helper.js with SECRET_PATTERNS to prevent credential exfiltration

✓ Atomic file operations used (tmp+rename pattern) for PID files and cycle counters

✓ Circuit breaker pattern for failure handling prevents resource exhaustion

✓ Singleton guard prevents duplicate wrapper instances

✓ Kill switch mechanism for emergency stop

✓ Failure lessons logging to prevent repeated mistakes

✓ Process existence verification before killing PIDs (isWrapperProcess check)

✓ Debounce mechanisms on cron checks and ensure operations