feishu-e2e-test
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from the Feishu web interface (messenger) to test bot flows.\n
- Ingestion points: Feishu messenger web UI accessed via
agent-browser.\n - Boundary markers: None. The skill lacks delimiters or instructions to ignore embedded commands in the messages it reads.\n
- Capability inventory: The skill utilizes the
Bashtool with broad permissions (agent-browser:*), enabling filesystem access, system command execution, and log reading.\n - Sanitization: No sanitization of ingested message content is performed before the agent processes or responds to it.\n- Data Exposure (HIGH): The skill explicitly directs the agent to read and monitor sensitive files including
~/.openclaw/logs/gateway.logand session JSON files in~/.openclaw/agents/main/sessions/. These files frequently contain authentication secrets (appid/secret), API tokens, and private user conversation history. It also identifies.envas a source of secrets.\n- Command Execution (MEDIUM): The skill promotes the use of complex Bash scripts, including loops and grep, to interact with the system and logs. When combined with the high Indirect Prompt Injection risk, this capability allows an attacker to escalate from a malicious message to local command execution or data exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata