subscribe-filter-feishu 安全扫描报告 — 低风险 | ClawSafe

10 /100

subscribe-filter-feishu

订阅-过滤-飞书推送。通过WebSocket订阅数据流，大模型智能过滤，自动推送到飞书。

A legitimate WebSocket data subscription, LLM filtering, and Feishu push notification service. No malicious behavior detected; all operations align with documented functionality.

技能名称subscribe-filter-feishu

分析耗时39.7s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning axios/ws versions in package.json for supply-chain stability, but no security action is required.

安全发现 4 项

严重性	安全发现	位置
低危	Filesystem access not declared in SKILL.md SKILL.md does not mention that the skill reads config from and writes logs/PID/stats to the user's home directory (~/.openclaw/, ~/clawd/data/). This is a minor documentation gap but poses no security risk since operations are scoped and expected for a daemon-style tool. `const CONFIG_PATH = path.join(os.homedir(), '.openclaw', 'subscribe-filter-feishu.json')` → Add a 'Data Directory' section to SKILL.md explicitly noting filesystem READ/WRITE access to ~/clawd/data/	`scripts/receiver.js:43`
低危	Network capability inference exceeds declaration SKILL.md declares only a 'WebSocket 实时订阅数据流' (WebSocket READ). The implementation also makes outbound HTTP POST requests to Feishu API and LLM API endpoints. This is necessary for the core feature but not explicitly documented. `await axios.post('https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal', ...)` → Add explicit documentation listing Feishu API and LLM API endpoints as declared outbound network destinations	`scripts/receiver.js:147`
提示	Unpinned dependency versions package.json uses caret ranges (^8.14.2, ^1.6.0) for ws and axios. While not a critical issue, pinning to exact versions improves reproducibility and reduces supply-chain risk. `"ws": "^8.14.2"` → Pin ws and axios to specific versions (e.g., [email protected], [email protected])	`package.json:10`
提示	process.kill(pid, 0) used for PID check The PID check uses process.kill(pid, 0) to test if a process exists. This is a legitimate technique for preventing duplicate instances, not malicious. `process.kill(pid, 0)` → No action needed — this is a standard daemon pattern	`scripts/receiver.js:77`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ+WRITE`	✓ 一致	scripts/receiver.js:147,185 (Feishu API POST), scripts/receiver.js:220 (LLM API …
文件系统	`NONE`	`READ+WRITE`	✓ 一致	scripts/receiver.js:43-47 (config, PID, log, stats paths in ~/)
命令执行	`NONE`	`NONE`	—	No shell execution found
环境变量	`NONE`	`NONE`	—	No environment variable iteration
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

27 项发现

🔗

中危外部 URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

SKILL.md:38

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:17

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz

package-lock.json:23

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:34

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:47

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:59

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:68

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:82

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:91

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:100

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:112

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:127

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:147

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:163

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:172

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:196

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:209

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:221

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:233

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:248

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:260

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:269

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:278

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:290

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-8.19.0.tgz

package-lock.json:296

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal

scripts/receiver.js:147

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id

scripts/receiver.js:185

目录结构

5 文件 · 23.9 KB · 832 行

JavaScript 1f · 374L JSON 3f · 338L Markdown 1f · 120L

├─ ▾ 📁 scripts

│ └─ 📜 receiver.js JavaScript 374L · 9.9 KB

├─ 📋 metadata.json JSON 9L · 289 B

├─ 📋 package-lock.json JSON 316L · 10.7 KB

├─ 📋 package.json JSON 13L · 289 B

└─ 📝 SKILL.md Markdown 120L · 2.7 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`ws`	`^8.14.2`	npm	否	Caret range; consider pinning to exact version
`axios`	`^1.6.0`	npm	否	Caret range; axios 1.x is actively maintained, no critical CVEs

安全亮点

✓ No shell command execution, subprocess, or eval() found

✓ No credential harvesting or exfiltration — API keys stay local and are only used for intended API calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or obfuscated code

✓ No curl|bash or wget|sh remote script execution

✓ No hidden HTML comments or steganographic payloads

✓ No self-replication or persistence mechanisms beyond normal PID/log files

✓ Error handling is robust (uncaughtException/unhandledRejection handlers prevent crashes)

✓ Token management properly handles expiry and refresh