feishu-interactive-cards

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN: The code fragment describes a coherent, purpose-aligned Feishu interactive card system with proper safeguards, configuration-based credentials, and a well-defined data flow through a callback gateway. While it introduces additional network components (long-polling callback server and gateway) that require trust in the OpenClaw ecosystem, these are consistent with the stated architecture and do not exhibit malicious behavior based on the provided material. Recommended precautions: secure credential storage, rotate tokens, restrict network exposure, and implement input validation at all boundaries. LLM verification: No direct indicators of malware or intentional backdoor behavior in the provided code fragment. The primary security concern is operational: user-controlled callback data can trigger high-impact local actions (file deletion) and callbacks are routed through a centralized OpenClaw Gateway. The example contains some mitigations (path.resolve and startsWith check, admonitions against shell commands), but lacks stronger safeguards shown in the snippet: explicit allowlists, origin authentication, RBA