feishu-memory-recall
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- DATA_EXFILTRATION (MEDIUM): The skill is designed to read from
~/.openclaw/agents/main/sessions/sessions.json, which contains sensitive internal agent state and session metadata. Accessing private configuration files of the agent framework is a high-privilege operation that could be exploited to leak credentials. - COMMAND_EXECUTION (LOW): In
recall.js, the skill useschild_process.spawnto execute a local script. While it usesprocess.execPath(avoiding shell injection), it forwards raw command-line arguments and environment variables. This pattern can be risky if the receiving script lacks proper input validation. - PROMPT_INJECTION (LOW): The skill acts as an indirect prompt injection surface by retrieving and summarizing external messages from Feishu groups. Attackers in these groups could post messages containing hidden instructions to manipulate the agent's behavior.
- Ingestion points: External chat messages from Feishu groups and DMs.
- Boundary markers: No explicit markers are defined to help the LLM distinguish between system instructions and untrusted message content.
- Capability inventory: The skill has permissions to write to local files (
RECENT_EVENTS.md) and make external API requests. - Sanitization: There is no evidence of sanitization or escaping of the message content before it is processed.
- NO_CODE (LOW): The file
index.js, which contains the main logic for API interaction and file writing, is missing from the provided code, preventing a full security audit of its functionality.
Audit Metadata