feishu-docx

This JSON is a configuration file containing plaintext credentials that appear genuine. The file is not executable malware, but it represents a high security risk: leaked credentials can lead to account compromise, unauthorized API access, and potentially ownership transfers. Immediate remediation (rotate and revoke secrets, remove from repos, audit for misuse, adopt secrets management) is strongly recommended.

该技能的表面用途与飞书文档转换基本一致，但核心实现依赖不可审计的混淆脚本，并要求读取本地凭证文件后将凭证转发给这些脚本。未见明确第三方劫持端点证据，因此不足以判定为确认恶意；但其透明度和可验证性较差，整体应判为可疑且高风险。

This module is a licensed/document-downloader tool for Feishu (Lark) that is intentionally obfuscated and includes DRM/license enforcement. It collects hardware identifiers by executing system commands, computes hashes to validate stored license codes, and persists usage and license files locally. That behavior is privacy-sensitive and could be undesirable in many environments. Aside from that, I found no clear signs of malware (no remote backdoors, no attacker-controlled exfiltration domains, no dynamic code eval). The main risks are privacy (hardware fingerprinting), persistence of local usage/license data, obfuscation which reduces transparency, and execution of system commands via execSync. Reviewers should treat this package as potentially inappropriate for use in multi-tenant/shared/CI environments and should inspect or remove the license/hardware fingerprinting parts if not desired.

This file is an obfuscated licensing/activation/usage-tracking component that performs hardware fingerprinting (execSync command outputs), local signed storage of license/usage data, and network communication to a hardcoded licensing/tenant API using supplied credentials. It enforces authorization by exiting the process when validation fails and manages trial counters. While it does not show typical backdoor patterns (reverse shell, arbitrary remote code execution, destructive file operations), it collects sensitive machine identifiers and transmits credentials to an external server; the heavy obfuscation and hardcoded remote URL increase supply-chain and privacy risk. Treat as suspicious in an open-source dependency context: either remove, replace with transparent code, or thoroughly verify the remote service and provenance before trusting. Manual review and network allowlisting/monitoring are recommended.