feishu-docx

This code implements a Feishu document downloader/converter with license enforcement. It performs hardware fingerprinting via execSync, validates/creates signed license/usage JSON files on disk, and downloads documents/media from Feishu using provided tenant_access_token. The code is intentionally obfuscated (string table and decoder). I did not find evidence of backdoor behavior, remote shells, or credential harvesting beyond using the tenant_access_token passed to it. However, it does collect sensitive machine identifiers and writes signed usage/license data locally; combined with obfuscation, this is privacy-invasive and warrants caution. If you require a fully auditable module, request a deobfuscated/plain-source variant or avoid using the package.

This file implements an obfuscated license/trial enforcement and usage-tracking module. It collects hardware identifiers using OS commands, constructs hashed machine IDs, validates and signs local license/usage files, and contacts a remote server exchanging app_id/app_secret for tokens. There is no clear evidence of a backdoor, reverse shell, or active sabotage, but the code performs privacy-sensitive fingerprinting and exfiltrates application credentials and machine identifiers to an external endpoint. The obfuscation and forced process.exit behavior increase supply-chain risk and make auditing harder. Use caution: if integrating this module, verify the remote endpoint, understand the privacy implications, and be aware it can terminate the host process on license failures.

该技能的表面用途与能力基本一致：做飞书文档与 Markdown 互转，并需要飞书凭证与文档内容交互。但核心问题是实际执行逻辑被混淆且被要求不要审查，导致关键数据流、依赖行为和凭证处理无法独立验证。未见明确恶意或第三方凭证中转，因此更适合判定为 SUSPICIOUS 而非 MALICIOUS。