feishu-card

This module is not obviously malicious on its own, but it contains a high-risk command injection vulnerability: untrusted values (userOpenId and menuKey) are interpolated into a shell command executed via child_process.execSync, allowing an attacker controlling eventPayload to execute arbitrary commands. The primary risk is remote command execution on the host. Recommend replacing execSync usage with execFile/spawn and strict input validation/escaping, and avoid logging entire payloads in production.