Back to skill

Security audit

Feishu Evolver Wrapper

Security checks across malware telemetry and agentic risk

Overview

This skill has a real Feishu/evolver purpose, but it also gives itself broad autonomous powers to run agents, persist as a watchdog, modify skills, and push repository changes.

Install only if you intentionally want an autonomous evolver manager that can keep itself running, spawn agents, send operational data to Feishu, modify installed skills, and push workspace changes to git. Review Feishu token scope, target chats/docs, cron job creation, git remote/branch, and auto-heal behavior first; run it in an isolated workspace with backups and clear controls around outbound reports and git push.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
A health-check script is expected to observe and report state, but this code also mutates state by deleting `evolution_error.log` when it is older than 24 hours. In an agent/integration context, silently deleting diagnostic artifacts can hide failures, interfere with incident response, and make operators trust a health signal that has already altered evidence.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The comment presents stale log deletion as harmless hygiene, but the script silently changes evolver state during a check operation. Even if the immediate effect is limited, this violates operator expectations and reduces transparency around destructive actions, which is risky in automation and monitoring workflows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This module exposes a generic shell execution primitive via `exec(command, ...)` and adds caching around arbitrary command strings, but it does not constrain commands to Feishu reporting or evolver lifecycle operations. In a skill whose stated purpose is wrapper/orchestration logic, this broad capability materially increases risk because any upstream untrusted input reaching `cachedExec` could become command injection or unauthorized host command execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The wrapper autonomously stages, commits, rebases, and pushes repository changes, which exceeds a Feishu reporting/lifecycle wrapper’s stated scope and gives the skill direct authority to persist and publish code changes. If the upstream evolver or injected task content is compromised, this turns the wrapper into an automated propagation mechanism that can exfiltrate changes to the remote repository or silently land malicious modifications.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The wrapper injects mandatory model-routing and workflow-shaping directives into the child agent, altering task execution semantics beyond simple delegation. This is dangerous because wrapper-controlled prompt injection can bypass user intent, steer the agent into unintended tools or behaviors, and compound the impact of other autonomous features like code modification and git sync.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The wrapper launches and supervises a separate Hand Agent process through the OpenClaw CLI, effectively creating a second autonomous execution layer with inherited environment and wrapper-supplied task content. In this context, that expands the attack surface substantially because compromised prompts, env vars, or intermediate outputs can drive downstream agent actions without human review.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The wrapper goes beyond managing the local evolver lifecycle and creates, edits, and enables external OpenClaw cron jobs. That broadens the skill's authority and persistence surface, creating a real security risk because invoking this skill can silently modify system scheduling state outside the user’s immediate expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file presents itself as a monitor but, by default, it mutates skill directories via auto-healing. This creates an integrity risk because merely running the checker can install packages or create files in other skills without explicit operator approval, turning a read-only audit step into a write-capable maintenance action.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially differs from the declared Feishu/evolver-wrapper purpose and instead performs local skill scanning and remediation. This mismatch is dangerous because operators may grant or run the skill under assumptions appropriate for Feishu reporting, while the code actually has broader local execution and modification capabilities.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code executes shell commands to require arbitrary skill entry points during checking. Requiring an entry file can execute top-level code from untrusted local skills, and using shell invocation expands the attack surface beyond passive validation into active code execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mentions exporting raw evolution history to Feishu Docs without warning users that operational history may contain sensitive metadata, prompts, logs, or other internal content. In this context, the omission is more dangerous because the wrapper is designed for automated reporting and daemonized lifecycle management, increasing the chance that data is exported routinely without meaningful user awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Deleting a stale log file without warning removes potentially important forensic and debugging information, and it happens in a script that operators may assume is non-destructive. In the Feishu/evolver wrapper context, this can mask recurring failures and hinder root-cause analysis of the daemon lifecycle or reporting integration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code uploads parsed evolution log history to Feishu without any consent prompt, sensitivity check, redaction step, or clear warning that logs may contain secrets, prompts, internal state, or other confidential data. Because the fallback path can export the last 50 log lines verbatim, sensitive information may be transmitted to an external SaaS unintentionally.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code writes issue content to a predictable location under /tmp before uploading it to Feishu, which can expose potentially sensitive operational context to other local users or processes on the same host if file permissions or the environment are not tightly controlled. In this skill context, the danger is increased because evolution issues and extraContext may contain internal errors, identifiers, or other sensitive debugging data that is automatically exfiltrated to an external SaaS document.

Missing User Warnings

High
Confidence
98% confidence
Finding
The fallback report path builds a shell command string with payload fields such as cycle, title, and color inserted without robust escaping, then executes it via execSync. An attacker who can influence those fields could inject shell metacharacters and execute arbitrary commands with the privileges of the wrapper process.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code executes several system-level shell commands to list, add, and edit cron jobs, which changes host scheduling state and can establish persistence. In a lifecycle/reporting wrapper, this hidden administrative behavior increases risk because a normal skill invocation may alter system automation without clear user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The --file option reads arbitrary local file content and sends it as a Feishu report, which can leak sensitive data if a user or calling automation passes secrets, configs, or other internal files. In this skill context, the wrapper is specifically designed to transmit content externally, so any unrestricted file-to-network path is more dangerous because it creates an easy exfiltration primitive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code automatically deletes .git/index.lock based only on file age, without confirming that no git process is still active or that the lock is truly stale. If the lock belongs to a legitimate long-running git operation, removing it can corrupt repository state, interfere with concurrent processes, or cause loss of in-progress work in an unattended daemon context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-heal path runs npm install automatically in each flagged skill directory. This can execute package lifecycle scripts and fetch remote content, allowing unreviewed code execution and supply-chain exposure triggered by a monitoring task without explicit user confirmation.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Automatically creating SKILL.md modifies skill contents without prior user consent. While lower severity than code execution, silent writes can interfere with source control, mask missing documentation problems, and violate expectations that monitoring is non-destructive.

Ssd 1

High
Confidence
96% confidence
Finding
The wrapper appends authoritative natural-language instructions marked as non-skippable, overriding the hand agent’s normal workflow and compelling it to create specific artifacts. This is dangerous because it establishes a prompt-level control channel that can force downstream agent behavior outside normal policy boundaries, especially in a system already capable of autonomous code changes and git publication.

Ssd 1

High
Confidence
97% confidence
Finding
The one-time thought injection mechanism reads arbitrary text from a file and places it directly into the agent’s behavioral context via EVOLVE_HINT. This creates an untrusted local prompt-injection channel: any process able to write that file can influence future agent actions, potentially steering code changes, reporting, or secondary-agent execution.

Ssd 3

Medium
Confidence
90% confidence
Finding
Failure lessons persist detailed prior errors and replay them into future prompts, which can leak sensitive data from one cycle into later agent contexts or external reporting paths. In an autonomous agent loop, stderr/stdout often contains secrets, file paths, tokens, or internal prompts, so retaining and re-injecting raw details increases cross-cycle data exposure risk.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
exec_cache.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:493

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
issue_tracker.js:64

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lifecycle.js:95

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
report.js:130

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
self-repair.js:21

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skills_monitor.js:65

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
index.js:1144

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
export_history.js:15

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
visualize_dashboard.js:21

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
export_history.js:23

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
visualize_dashboard.js:143