feishu-bot-manager Security Report — Low Risk | ClawSafe

30 /100

feishu-bot-manager

飞书多账户机器人配置管理 skill

Feishu bot management skill with legitimate config-file and CLI operations, but with minor documentation gaps: shell execSync calls and App Secret plain-text storage are not explicitly declared in SKILL.md.

Skill Namefeishu-bot-manager

Duration54.4s

Enginepi

✓

Safe to install

Add explicit declarations in SKILL.md for shell:WRITE (execSync for openclaw gateway restart and config set) and credential storage behavior. Consider whether App Secret can be stored in a more secure vault instead of plain JSON.

Findings 4 items

Severity	Finding	Location
Medium	Shell execution not declared in SKILL.md Doc Mismatch index.js uses execSync to run 'openclaw config set' and 'openclaw gateway restart' (lines 105, 112), but SKILL.md does not declare shell:WRITE access. Only CLI usage examples are shown. The skill should explicitly list shell execution as a required capability. `execSync('openclaw config set session.dmScope "per-account-channel-peer"', { stdio: 'pipe' });` → Add shell:WRITE to the skill's declared capabilities in SKILL.md, documenting that the skill runs 'openclaw gateway restart' and 'openclaw config set' as the shell commands.	`index.js:105`
Medium	App Secret stored in plain-text config file without declaration Credential Theft The Feishu App Secret is written to ~/.openclaw/openclaw.json in plain text (line 97). SKILL.md describes the binding flow but never mentions that the secret is persisted locally. While necessary for the feature, this should be explicitly documented. `appSecret: appsecret` → Add a note in SKILL.md under '注意事项' that the appSecret is stored in plain text in the openclaw config file. Consider recommending use of a secrets manager instead.	`index.js:97`
Low	Broad execSync scope — no command allowlist Doc Mismatch The execSync calls invoke the 'openclaw' CLI with arbitrary arguments constructed from user input. While the specific calls are limited, there is no input sanitization or command allowlist, meaning a compromised openclaw CLI could be leveraged for broader execution. `execSync('openclaw config set session.dmScope "per-account-channel-peer"', { stdio: 'pipe' });` → While the current implementation is benign, consider validating the CLI arguments or using a more constrained API if available.	`index.js:105`
Low	HOME directory path access without scope declaration Sensitive Access The skill constructs paths using $HOME/.openclaw/ (line 21) to read/write config. This is filesystem WRITE access to a user-specific directory. SKILL.md does not declare this scope. `const CONFIG_PATH = path.join(process.env.HOME, '.openclaw', 'openclaw.json');` → Declare filesystem:WRITE with the specific path scope ~/.openclaw/ in SKILL.md.	`index.js:21`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	index.js:89 writes to ~/.openclaw/openclaw.json
Shell	`NONE`	`WRITE`	✗ Violation	index.js:105,112 execSync calls to openclaw CLI
Network	`NONE`	`NONE`	—	No direct network calls; Feishu API calls would be made by the openclaw gateway …
Environment	`NONE`	`READ`	✗ Violation	index.js:21 reads process.env.HOME for config paths
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	SKILL.md references a URL but no browser automation
Database	`NONE`	`NONE`	—	No database access

1 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/page/openclaw?form=multiAgent

SKILL.md:14

File Tree

5 files · 18.1 KB · 580 lines

JavaScript 2f · 320L Markdown 2f · 248L JSON 1f · 12L

├─ ▾ 📁 lib

│ └─ 📜 validator.js JavaScript 68L · 1.4 KB

├─ ▾ 📁 references

│ └─ 📝 new-agent-governance.md Markdown 94L · 4.0 KB

├─ 📜 index.js JavaScript 252L · 7.4 KB

├─ 📋 package.json JSON 12L · 235 B

└─ 📝 SKILL.md Markdown 154L · 5.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`readline`	`^1.3.0`	npm	No	Built-in Node.js module; pinned version

Security Positives

✓ No base64-encoded payloads, reverse shells, or obfuscated code

✓ No network requests from the skill itself (Feishu API calls go through openclaw gateway)

✓ Automatic backup of config before modification (line 87) — a good safety practice

✓ Input validation on App ID, Account ID, Chat ID formats via lib/validator.js

✓ Graceful error handling with fallback messages when CLI commands fail

✓ No iteration over environment variables for credential harvesting

✓ No cron, startup hooks, or persistence mechanisms installed

✓ No external script downloads (curl|bash, wget|sh patterns)

✓ Minimal dependencies (only readline, built-in Node.js modules)

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives