feishu-bot-manager 安全扫描报告 — 低风险 | ClawSafe

30 /100

feishu-bot-manager

飞书多账户机器人配置管理 skill

Feishu bot management skill with legitimate config-file and CLI operations, but with minor documentation gaps: shell execSync calls and App Secret plain-text storage are not explicitly declared in SKILL.md.

技能名称feishu-bot-manager

分析耗时54.4s

引擎pi

✓

可以安装

Add explicit declarations in SKILL.md for shell:WRITE (execSync for openclaw gateway restart and config set) and credential storage behavior. Consider whether App Secret can be stored in a more secure vault instead of plain JSON.

安全发现 4 项

严重性	安全发现	位置
中危	Shell execution not declared in SKILL.md 文档欺骗 index.js uses execSync to run 'openclaw config set' and 'openclaw gateway restart' (lines 105, 112), but SKILL.md does not declare shell:WRITE access. Only CLI usage examples are shown. The skill should explicitly list shell execution as a required capability. `execSync('openclaw config set session.dmScope "per-account-channel-peer"', { stdio: 'pipe' });` → Add shell:WRITE to the skill's declared capabilities in SKILL.md, documenting that the skill runs 'openclaw gateway restart' and 'openclaw config set' as the shell commands.	`index.js:105`
中危	App Secret stored in plain-text config file without declaration 凭证窃取 The Feishu App Secret is written to ~/.openclaw/openclaw.json in plain text (line 97). SKILL.md describes the binding flow but never mentions that the secret is persisted locally. While necessary for the feature, this should be explicitly documented. `appSecret: appsecret` → Add a note in SKILL.md under '注意事项' that the appSecret is stored in plain text in the openclaw config file. Consider recommending use of a secrets manager instead.	`index.js:97`
低危	Broad execSync scope — no command allowlist 文档欺骗 The execSync calls invoke the 'openclaw' CLI with arbitrary arguments constructed from user input. While the specific calls are limited, there is no input sanitization or command allowlist, meaning a compromised openclaw CLI could be leveraged for broader execution. `execSync('openclaw config set session.dmScope "per-account-channel-peer"', { stdio: 'pipe' });` → While the current implementation is benign, consider validating the CLI arguments or using a more constrained API if available.	`index.js:105`
低危	HOME directory path access without scope declaration 敏感访问 The skill constructs paths using $HOME/.openclaw/ (line 21) to read/write config. This is filesystem WRITE access to a user-specific directory. SKILL.md does not declare this scope. `const CONFIG_PATH = path.join(process.env.HOME, '.openclaw', 'openclaw.json');` → Declare filesystem:WRITE with the specific path scope ~/.openclaw/ in SKILL.md.	`index.js:21`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	index.js:89 writes to ~/.openclaw/openclaw.json
命令执行	`NONE`	`WRITE`	✗ 越权	index.js:105,112 execSync calls to openclaw CLI
网络访问	`NONE`	`NONE`	—	No direct network calls; Feishu API calls would be made by the openclaw gateway …
环境变量	`NONE`	`READ`	✗ 越权	index.js:21 reads process.env.HOME for config paths
技能调用	`NONE`	`NONE`	—	No cross-skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	SKILL.md references a URL but no browser automation
数据库	`NONE`	`NONE`	—	No database access

1 项发现

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/page/openclaw?form=multiAgent

SKILL.md:14

目录结构

5 文件 · 18.1 KB · 580 行

JavaScript 2f · 320L Markdown 2f · 248L JSON 1f · 12L

├─ ▾ 📁 lib

│ └─ 📜 validator.js JavaScript 68L · 1.4 KB

├─ ▾ 📁 references

│ └─ 📝 new-agent-governance.md Markdown 94L · 4.0 KB

├─ 📜 index.js JavaScript 252L · 7.4 KB

├─ 📋 package.json JSON 12L · 235 B

└─ 📝 SKILL.md Markdown 154L · 5.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`readline`	`^1.3.0`	npm	否	Built-in Node.js module; pinned version

安全亮点

✓ No base64-encoded payloads, reverse shells, or obfuscated code

✓ No network requests from the skill itself (Feishu API calls go through openclaw gateway)

✓ Automatic backup of config before modification (line 87) — a good safety practice

✓ Input validation on App ID, Account ID, Chat ID formats via lib/validator.js

✓ Graceful error handling with fallback messages when CLI commands fail

✓ No iteration over environment variables for credential harvesting

✓ No cron, startup hooks, or persistence mechanisms installed

✓ No external script downloads (curl|bash, wget|sh patterns)

✓ Minimal dependencies (only readline, built-in Node.js modules)