feishu-agent-mesh Security Report — Trusted | ClawSafe

5 /100

feishu-agent-mesh

Blueprint for wiring multiple OpenClaw agents into the same Feishu group chats for autonomous multi-turn discussions, task handoffs, and logging

Legitimate multi-agent coordination framework for Feishu (Lark) with no malicious behavior detected. All code performs documented functionality with proper use of Feishu APIs.

Skill Namefeishu-agent-mesh

Duration45.4s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure proper handling of environment variables for production deployments.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	feishu-callback-server.js:33-36,56-62
Environment	`READ`	`READ`	✓ Aligned	feishu-callback-server.js:15-24
Filesystem	`NONE`	`NONE`	—	No file operations in implementation
Shell	`NONE`	`NONE`	—	Node.js uses fetch/http, no subprocess or exec calls
Skill Invoke	`NONE`	`NONE`	—	Configuration-based routing only

5 findings

🔗

Medium External URL 外部 URL

https://relay.example.com/feishu/callback

SKILL.md:51

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

scripts/feishu-callback-server.js:33

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/bitable/v1/apps/$

scripts/feishu-callback-server.js:56

🔗

Medium External URL 外部 URL

https://xiaogua.example.com/tools/invoke

scripts/relay-config.example.json:10

🔗

Medium External URL 外部 URL

https://xiaogu.example.com/tools/invoke

scripts/relay-config.example.json:22

File Tree

10 files · 24.9 KB · 540 lines

Markdown 7f · 298L JSON 2f · 127L JavaScript 1f · 115L

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 45L · 2.2 KB

│ ├─ 📝 deployment-checklist.md Markdown 40L · 2.1 KB

│ ├─ 📝 info-collection-template.md Markdown 15L · 1.2 KB

│ ├─ 📝 logging-schema.md Markdown 47L · 2.0 KB

│ └─ 📝 workflow-templates.md Markdown 39L · 2.1 KB

├─ ▾ 📁 scripts

│ ├─ 📜 feishu-callback-server.js JavaScript 115L · 3.8 KB

│ ├─ 📝 README.md Markdown 24L · 845 B

│ └─ 📋 relay-config.example.json JSON 65L · 1.5 KB

├─ ▾ 📁 templates

│ └─ 📋 accounts.example.json JSON 62L · 1.6 KB

└─ 📝 SKILL.md Markdown 88L · 7.6 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`express`	`*`	npm	No	Standard web framework
`body-parser`	`*`	npm	No	Express middleware for parsing request bodies
`node-fetch`	`*`	npm	No	HTTP client for Feishu API calls
`crypto`	`builtin`	Node.js	No	Built-in module for AES decryption

Security Positives

✓ Clean, readable JavaScript implementation with no obfuscation

✓ All network requests go to official Feishu API endpoints only

✓ No shell execution, subprocess, or system command calls

✓ Proper token caching to minimize authentication overhead

✓ Cryptographic operations are for legitimate Feishu event decryption

✓ Configuration files contain example/placeholder values only

✓ No credential harvesting beyond Feishu API authentication needs

✓ No data exfiltration - logs stored in designated Feishu Bitable

✓ All functionality declared and explained in SKILL.md

Scan Report

File Tree

Dependencies 4 items

Security Positives