中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
feishu-all-in-one
飞书 All-in-One 技能包 - 开箱即用的飞书消息收发解决方案
Legitimate Feishu (Lark) messaging integration skill with proper credential handling and no malicious behavior detected.
Skill Namefeishu-all-in-one
Duration33.5s
Enginepi
Safe to install
No action required. Consider adding an explicit allowed-tools declaration in SKILL.md to improve transparency.

Findings 2 items

Severity Finding Location
Low
Missing allowed-tools declaration Doc Mismatch
SKILL.md does not declare filesystem:READ or network:READ despite the code accessing ~/.openclaw/openclaw.json and making API calls to open.feishu.cn
No allowed-tools section in skill metadata
→ Add allowed-tools declaration: Read→filesystem:READ, WebFetch→network:READ
 SKILL.md:1
Info
Reads OpenClaw configuration file Sensitive Access
Scripts read ~/.openclaw/openclaw.json to access Feishu credentials. This is legitimate behavior for a messaging integration.
const configPath = path.join(os.homedir(), '.openclaw', 'openclaw.json')
→ Expected behavior - no action needed
 scripts/card-callback-server.js:14
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned scripts/card-callback-server.js:14-20 reads ~/.openclaw/openclaw.json
Network NONE READ ✓ Aligned All network requests go to official Feishu API endpoints (open.feishu.cn)
Environment READ READ ✓ Aligned FEISHU_APP_ID and FEISHU_APP_SECRET accessed as declared
Shell NONE NONE No subprocess or shell execution found in codebase
55 findings
🔗
Medium External URL 外部 URL
https://open.feishu.cn/
README.md:9
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
scripts/feishu_file_sender.py:12
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/files
scripts/feishu_file_sender.py:14
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages
scripts/feishu_file_sender.py:15
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/bot/v3/info
scripts/feishu_proactive_messenger.py:20
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@larksuiteoapi/node-sdk/-/node-sdk-1.59.0.tgz
scripts/package-lock.json:17
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/aspromise/-/aspromise-1.1.2.tgz
scripts/package-lock.json:32
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/base64/-/base64-1.1.2.tgz
scripts/package-lock.json:38
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/codegen/-/codegen-2.0.4.tgz
scripts/package-lock.json:44
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz
scripts/package-lock.json:50
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/fetch/-/fetch-1.1.0.tgz
scripts/package-lock.json:56
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/float/-/float-1.0.2.tgz
scripts/package-lock.json:66
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/inquire/-/inquire-1.1.0.tgz
scripts/package-lock.json:72
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/path/-/path-1.1.2.tgz
scripts/package-lock.json:78
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/pool/-/pool-1.1.0.tgz
scripts/package-lock.json:84
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@protobufjs/utf8/-/utf8-1.1.0.tgz
scripts/package-lock.json:90
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@types/node/-/node-25.3.3.tgz
scripts/package-lock.json:96
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/asynckit/-/asynckit-0.4.0.tgz
scripts/package-lock.json:105
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/axios/-/axios-1.13.6.tgz
scripts/package-lock.json:111
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz
scripts/package-lock.json:122
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/call-bound/-/call-bound-1.0.4.tgz
scripts/package-lock.json:135
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/combined-stream/-/combined-stream-1.0.8.tgz
scripts/package-lock.json:151
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/delayed-stream/-/delayed-stream-1.0.0.tgz
scripts/package-lock.json:163
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/dunder-proto/-/dunder-proto-1.0.1.tgz
scripts/package-lock.json:172
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/es-define-property/-/es-define-property-1.0.1.tgz
scripts/package-lock.json:186
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/es-errors/-/es-errors-1.3.0.tgz
scripts/package-lock.json:195
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/es-object-atoms/-/es-object-atoms-1.1.1.tgz
scripts/package-lock.json:204
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz
scripts/package-lock.json:216
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/follow-redirects/-/follow-redirects-1.15.11.tgz
scripts/package-lock.json:231
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/form-data/-/form-data-4.0.5.tgz
scripts/package-lock.json:251
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/function-bind/-/function-bind-1.1.2.tgz
scripts/package-lock.json:267
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/get-intrinsic/-/get-intrinsic-1.3.0.tgz
scripts/package-lock.json:276
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/get-proto/-/get-proto-1.0.1.tgz
scripts/package-lock.json:300
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/gopd/-/gopd-1.2.0.tgz
scripts/package-lock.json:313
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/has-symbols/-/has-symbols-1.1.0.tgz
scripts/package-lock.json:325
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/has-tostringtag/-/has-tostringtag-1.0.2.tgz
scripts/package-lock.json:337
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/hasown/-/hasown-2.0.2.tgz
scripts/package-lock.json:352
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/lodash.identity/-/lodash.identity-3.0.0.tgz
scripts/package-lock.json:364
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/lodash.merge/-/lodash.merge-4.6.2.tgz
scripts/package-lock.json:370
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/lodash.pickby/-/lodash.pickby-4.6.0.tgz
scripts/package-lock.json:376
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/long/-/long-5.3.2.tgz
scripts/package-lock.json:382
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/math-intrinsics/-/math-intrinsics-1.1.0.tgz
scripts/package-lock.json:388
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/mime-db/-/mime-db-1.52.0.tgz
scripts/package-lock.json:397
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/mime-types/-/mime-types-2.1.35.tgz
scripts/package-lock.json:406
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/object-inspect/-/object-inspect-1.13.4.tgz
scripts/package-lock.json:418
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/protobufjs/-/protobufjs-7.5.4.tgz
scripts/package-lock.json:430
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/proxy-from-env/-/proxy-from-env-1.1.0.tgz
scripts/package-lock.json:454
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/qs/-/qs-6.15.0.tgz
scripts/package-lock.json:460
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/side-channel/-/side-channel-1.1.0.tgz
scripts/package-lock.json:475
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/side-channel-list/-/side-channel-list-1.0.0.tgz
scripts/package-lock.json:494
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/side-channel-map/-/side-channel-map-1.0.1.tgz
scripts/package-lock.json:510
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz
scripts/package-lock.json:528
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/undici-types/-/undici-types-7.18.2.tgz
scripts/package-lock.json:547
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/ws/-/ws-8.19.0.tgz
scripts/package-lock.json:553
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=$
scripts/send-card.js:42

File Tree

17 files · 175.0 KB · 5875 lines
JavaScript 4f · 3947L JSON 9f · 1018L Markdown 2f · 479L Python 2f · 431L
├─ 📁 references
│ ├─ 📋 confirmation-card.json JSON 41L · 1.1 KB
│ ├─ 📋 form-card.json JSON 103L · 2.7 KB
│ ├─ 📋 poll-card.json JSON 65L · 1.7 KB
│ ├─ 📋 test-card.json JSON 37L · 622 B
│ └─ 📋 todo-card.json JSON 137L · 4.0 KB
├─ 📁 scripts
│ ├─ 📁 examples
│ │ └─ 📋 test-card.json JSON 37L · 622 B
│ ├─ 📜 card-callback-original.js JavaScript 1644L · 50.9 KB
│ ├─ 📜 card-callback-server.js JavaScript 1657L · 51.3 KB
│ ├─ 📜 card-templates.js JavaScript 440L · 10.0 KB
│ ├─ 🐍 feishu_file_sender.py Python 220L · 6.7 KB
│ ├─ 🐍 feishu_proactive_messenger.py Python 211L · 6.4 KB
│ ├─ 📋 package-lock.json JSON 573L · 21.1 KB
│ ├─ 📋 package.json JSON 13L · 341 B
│ └─ 📜 send-card.js JavaScript 206L · 6.4 KB
├─ 📋 _meta.json JSON 12L · 268 B
├─ 📝 README.md Markdown 75L · 1.4 KB
└─ 📝 SKILL.md Markdown 404L · 9.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
@larksuiteoapi/node-sdk ^1.59.0 npm No Official Lark/Feishu SDK from trusted vendor
axios ^1.6.0 npm No Version range acceptable

Security Positives

✓ No subprocess or shell execution found
✓ No credential exfiltration detected - credentials only sent to official Feishu API
✓ Path traversal protection implemented in send-card.js for custom templates
✓ No base64-encoded or obfuscated code found
✓ Dependencies are from trusted sources (@larksuiteoapi/node-sdk, axios)
✓ No hidden functionality or shadow behavior detected
✓ All network requests target official Feishu API endpoints
✓ Proper error handling and input validation present