Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Evolver Wrapper

v1.8.0

Feishu-integrated wrapper for the capability-evolver. Manages the evolution loop lifecycle (start/stop/ensure), sends rich Feishu card reports, and provides...

⭐ 8· 54.6k·172 current·182 all-time

by@autogame-17

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires walletRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's name/description say it's a Feishu wrapper for capability-evolver and most code implements reporting and lifecycle management. However the registry lists no required env vars or credentials while the code expects numerous Feishu and OpenClaw-related env vars (e.g., FEISHU_APP_ID, FEISHU_EVOLVER_DOC_TOKEN, FEISHU_LOG_TARGET, OPENCLAW_MASTER_ID, OPENCLAW_CLI_PATH, MEMORY_DIR, etc.). The omission of these required configuration items in metadata is an incoherence.

Instruction Scope

SKILL.md gives simple run commands (node index.js, lifecycle.js, visualize_dashboard.js), but the code accesses many workspace files (memory/, logs/, assets/gep/events.jsonl, feishu_token.json), system paths (/proc, /tmp), runs other local scripts (skills/feishu-doc/create.js, append_simple.js), and calls Feishu API endpoints (open.feishu.cn). The runtime instructions are too terse relative to the broader file I/O, process control, and network activity the code performs.

✓

Install Mechanism

No install/download spec; code is provided in the skill bundle and there are no external download URLs or package installs. No brew/npm/pip downloads were specified, so install-time remote code fetch risk is low.

Credentials

The skill reads and expects many environment variables and credentials (FEISHU_APP_ID/FEISHU_EVOLVER_DOC_TOKEN/FEISHU_BOT_NAME/OPENCLAW_MASTER_ID/OPENCLAW_CLI_PATH, plus optional toggles like EVOLVE_*). None of these are declared in the registry metadata. The code also reads token files (memory/feishu_token.json) and will upload log contents to Feishu Docs — which is proportional for reporting but sensitive. These undeclared credential dependencies and file reads are a mismatch and increase risk.

Persistence & Privilege

Although always:false, the skill launches detached daemon processes, writes PID files, heartbeat files, and other persistent state under memory/ and logs/, and will spawn background 'ensure' and report processes. This grants ongoing background presence and the ability to run subprocesses on the host; that's expected for a lifecycle watchdog but should be highlighted to users before enabling.

What to consider before installing

This skill appears to implement the advertised Feishu reporting and lifecycle features, but the package metadata omits the many environment variables and filesystem permissions the code requires. Before installing or running it: - Inspect feishu-common/index.js (fetchWithAuth) and any referenced scripts (skills/feishu-doc/create.js, append_simple.js) to confirm how auth tokens are used and where data is sent. - Expect the wrapper to read/write workspace files (memory/, logs/, assets/), to read feishu_token.json and other token files, and to POST data to https://open.feishu.cn — if those tokens exist they could be used to post internal logs. - Note it spawns detached daemons and writes PID/heartbeat files; run it in an isolated/container environment if you want to limit persistent effects. - Audit uses of execSync/child_process.spawn where command strings include unescaped user or env data (some commands are built using template concatenation) — these are potential shell-injection vectors. - If you only need non-persistent reporting, consider running scripts manually rather than enabling the daemon. If you want a lower-risk install, ask the publisher to (1) declare required env vars & permissions in metadata, (2) document precisely what files it reads/writes and what network endpoints it calls, and (3) avoid shell command construction with unescaped user-provided content. If you cannot audit the referenced helper modules or scripts, treat this as higher risk and run it in a sandboxed environment.

✗

exec_cache.js:19