Skills
skills/openclaw/skills/feishu-interactive-cards/Gen Agent Trust Hub

feishu-interactive-cards

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): In SKILL.md, the 'Use in Agent' section provides a code example that uses shell command execution via exec with interpolated variables: node .../send-card.js ... --chat-id ${chatId}. If an external user provides a malicious chat ID (e.g., oc_xxx; rm -rf /), it will result in arbitrary command execution on the host system. This pattern bypasses the safety claims made in the skill's README.
  • DATA_EXFILTRATION (MEDIUM): The scripts/send-card.js file allows reading local files through the --template flag. Although it checks against a whitelist in allowedDirs, it includes path.join(process.cwd(), 'templates'). If the agent's working directory contains sensitive JSON files in those folders, an attacker could potentially influence the template path to exfiltrate file contents to Feishu.
  • INDIRECT_PROMPT_INJECTION (HIGH): This skill is highly susceptible to indirect injection because its core function is to process untrusted data from external Feishu users (button clicks, form inputs). The mandatory evidence chain analysis reveals:
  • Ingestion points: Untrusted data enters via card-callback-server.js (referenced in README) and is processed in the callback handlers described in SKILL.md.
  • Boundary markers: None are provided or suggested in the integration examples.
  • Capability inventory: The skill utilizes network operations (axios) and suggests file-system operations (e.g., fs.unlink) in callback handlers.
  • Sanitization: While the documentation mentions sanitization, the primary usage examples for the agent lack any validation logic for interpolated shell arguments.
  • PROMPT_INJECTION (LOW): The SKILL.md and README use authoritative and self-referential language ('Must use', 'Security First', 'Verdict: SAFE' style claims in CHANGELOG) intended to override the agent's default safety constraints and decision-making logic.
  • UNVERIFIABLE_CODE (MEDIUM): Several critical files mentioned as being essential for the skill's operation, including scripts/card-callback-server.js and scripts/card-templates.js, are missing from the distributed files, making it impossible to verify their internal security logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 09:19 AM