feishu-permission-setup
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions and scripts access the sensitive local file
~/.openclaw/openclaw.jsonto retrieve FeishuappIdandappSecretcredentials. - [COMMAND_EXECUTION]: The AI is guided to execute shell commands, including
curlandjq, which process raw application secrets in plain text. This behavior can lead to credentials being exposed in shell history, process monitoring tools, or system logs. - [DATA_EXFILTRATION]: While the credentials are sent to the official Feishu API (
open.feishu.cn), the practice of extracting raw secrets from local storage and transmitting them via shell-invoked network requests is a significant data handling risk. - [PROMPT_INJECTION]: The skill processes external inputs such as permission scopes and changelog text which are interpolated into browser automation logic, creating an indirect prompt injection surface.
- Ingestion points: Command-line arguments in
scripts/feishu_scope_publish.js(e.g.,--scopes,--changelog,--reviewNote). - Boundary markers: None; the script lacks delimiters to differentiate between code-level instructions and data-level input.
- Capability inventory: Full browser automation via Playwright, local file system read/write access (for artifacts and profiles), and network requests via
curlas defined inSKILL.md. - Sanitization: The script performs basic string trimming and regex-based input filtering, which may be insufficient to prevent logic manipulation through maliciously crafted input strings.
Audit Metadata