feishu-agent-mesh 安全扫描报告 — 可信 | ClawSafe

5 /100

feishu-agent-mesh

Blueprint for wiring multiple OpenClaw agents into the same Feishu group chats for autonomous multi-turn discussions, task handoffs, and logging

Legitimate multi-agent coordination framework for Feishu (Lark) with no malicious behavior detected. All code performs documented functionality with proper use of Feishu APIs.

技能名称feishu-agent-mesh

分析耗时45.4s

引擎pi

✓

可以安装

This skill is safe to use. Ensure proper handling of environment variables for production deployments.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	feishu-callback-server.js:33-36,56-62
环境变量	`READ`	`READ`	✓ 一致	feishu-callback-server.js:15-24
文件系统	`NONE`	`NONE`	—	No file operations in implementation
命令执行	`NONE`	`NONE`	—	Node.js uses fetch/http, no subprocess or exec calls
技能调用	`NONE`	`NONE`	—	Configuration-based routing only

5 项发现

🔗

中危外部 URL 外部 URL

https://relay.example.com/feishu/callback

SKILL.md:51

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

scripts/feishu-callback-server.js:33

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/bitable/v1/apps/$

scripts/feishu-callback-server.js:56

🔗

中危外部 URL 外部 URL

https://xiaogua.example.com/tools/invoke

scripts/relay-config.example.json:10

🔗

中危外部 URL 外部 URL

https://xiaogu.example.com/tools/invoke

scripts/relay-config.example.json:22

目录结构

10 文件 · 24.9 KB · 540 行

Markdown 7f · 298L JSON 2f · 127L JavaScript 1f · 115L

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 45L · 2.2 KB

│ ├─ 📝 deployment-checklist.md Markdown 40L · 2.1 KB

│ ├─ 📝 info-collection-template.md Markdown 15L · 1.2 KB

│ ├─ 📝 logging-schema.md Markdown 47L · 2.0 KB

│ └─ 📝 workflow-templates.md Markdown 39L · 2.1 KB

├─ ▾ 📁 scripts

│ ├─ 📜 feishu-callback-server.js JavaScript 115L · 3.8 KB

│ ├─ 📝 README.md Markdown 24L · 845 B

│ └─ 📋 relay-config.example.json JSON 65L · 1.5 KB

├─ ▾ 📁 templates

│ └─ 📋 accounts.example.json JSON 62L · 1.6 KB

└─ 📝 SKILL.md Markdown 88L · 7.6 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`express`	`*`	npm	否	Standard web framework
`body-parser`	`*`	npm	否	Express middleware for parsing request bodies
`node-fetch`	`*`	npm	否	HTTP client for Feishu API calls
`crypto`	`builtin`	Node.js	否	Built-in module for AES decryption

安全亮点

✓ Clean, readable JavaScript implementation with no obfuscation

✓ All network requests go to official Feishu API endpoints only

✓ No shell execution, subprocess, or system command calls

✓ Proper token caching to minimize authentication overhead

✓ Cryptographic operations are for legitimate Feishu event decryption

✓ Configuration files contain example/placeholder values only

✓ No credential harvesting beyond Feishu API authentication needs

✓ No data exfiltration - logs stored in designated Feishu Bitable

✓ All functionality declared and explained in SKILL.md