feishu-bot-manager Security Report — Low Risk | ClawSafe

25 /100

feishu-bot-manager

飞书多账户机器人配置管理 Skill - Adds Feishu bot accounts and routing bindings to openclaw config

This is a legitimate Feishu bot configuration management skill that reads/writes local openclaw config files and executes documented openclaw CLI commands for gateway restart. No data exfiltration, credential theft, or obfuscation detected.

Skill Namefeishu-bot-manager

Duration39.4s

Enginepi

✓

Safe to install

Accept for use. However, be aware that the skill stores appId/appSecret in plaintext in openclaw.json and requires shell:WRITE permission for gateway restart. These are declared in SKILL.md and are functionally necessary.

Findings 2 items

Severity	Finding	Location
Low	Undeclared shell:WRITE permission Priv Escalation SKILL.md does not document the shell:WRITE permission required for execSync calls that run 'openclaw gateway restart' and 'openclaw config set'. While the shell commands are legitimate for the skill's purpose, the permission should be declared. `execSync('openclaw config set session.dmScope "per-account-channel-peer"', { stdio: 'pipe' });` → Add shell:WRITE to the skill's declared capabilities in SKILL.md	`index.js:144`
Low	Credentials stored in plaintext config Credential Theft appSecret values are stored in plaintext in ~/.openclaw/openclaw.json after being passed as CLI arguments. No encryption or masking is applied. This is consistent with openclaw's native config format, but the skill accepts secrets via process.argv which can leak into shell history. `appSecret: appsecret` → Consider reading credentials from environment variables or prompting interactively instead of CLI args to avoid shell history exposure	`index.js:119`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	index.js:28-29 reads ~/.openclaw/openclaw.json; index.js:71 writes it
Shell	`NONE`	`WRITE`	✓ Aligned	index.js:144 execSync('openclaw config set session.dmScope ...'); index.js:148 e…
Network	`NONE`	`NONE`	—	No network calls found in any file
Environment	`NONE`	`READ`	✓ Aligned	index.js:27 uses process.env.HOME for config path — necessary and benign

File Tree

4 files · 12.9 KB · 472 lines

JavaScript 2f · 320L Markdown 1f · 139L JSON 1f · 13L

├─ ▾ 📁 lib

│ └─ 📜 validator.js JavaScript 68L · 1.4 KB

├─ 📜 index.js JavaScript 252L · 7.4 KB

├─ 📋 package.json JSON 13L · 275 B

└─ 📝 SKILL.md Markdown 139L · 3.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`readline`	`^1.3.0`	npm	No	Node.js built-in module, re-exported as dependency

Security Positives

✓ All code is in plain, readable JavaScript — no obfuscation detected

✓ No base64-encoded commands, no reverse shells, no C2 communication

✓ No hidden functionality — implementation matches SKILL.md purpose

✓ Automatic backup creation before config modification

✓ Input validation via regex for App ID, Chat ID, Account ID formats

✓ Graceful error handling with fallback messages when openclaw commands fail

✓ Credentials are written only to local config file — not exfiltrated anywhere

✓ No malicious dependencies — package.json has only 'readline' with pinned version

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives