feishu-docs
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): Shell injection vulnerability detected in
scripts/create_doc.sh. The script interpolates the$DOC_TITLEvariable directly into acurlcommand string without proper escaping or usingjqfor JSON construction. An attacker providing a crafted document title could execute arbitrary shell commands. - Evidence:
CREATE_RESPONSE=$(curl -s -X POST "..." -d "{\"title\": \"$DOC_TITLE\"}")inscripts/create_doc.sh. - REMOTE_CODE_EXECUTION (MEDIUM): The script
scripts/ensure_user_token.shattempts to execute scripts from absolute and unverifiable local paths, including a specific user directory (/Users/gcx/...). This creates a dependency on an external, unmanaged environment and could lead to the execution of unintended code if the path exists or is hijacked. - Evidence:
REFRESH_SCRIPTS=("/Users/gcx/clawd/skills/feishu-tasks/scripts/refresh_token.sh" ...)followed bybash "$SCRIPT_"inscripts/ensure_user_token.sh. - DATA_EXPOSURE (MEDIUM): The skill accesses a sensitive credential file at
~/.feishu-credentials.json. While this is necessary for its primary function of Feishu integration, it represents a risk of credential exposure if the agent is compromised. (Severity downgraded from HIGH per primary skill purpose). - INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a vulnerability surface for indirect prompt injection as it ingests untrusted data from an external API and lacks sanitization.
- Ingestion points:
scripts/read_doc.sh(reads document blocks from Feishu API). - Boundary markers: None present; document content is extracted and displayed as raw text.
- Capability inventory: File system access, shell command execution (via other scripts), and network operations via
curl. - Sanitization: None; the script extracts text elements directly via
jqwithout filtering or escaping content.
Audit Metadata