feishu-multi-agent
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-multi-agent Version: 1.0.0 The skill is classified as suspicious due to explicit instructions in `SKILL.md` for agents to bypass OpenClaw's `Write` tool sandbox. It directs agents to use `bash` commands (e.g., `cat > file`, `cat file`, `ls dir`) for cross-workspace file operations and to create symlinks to move directories into agent workspaces, effectively circumventing security boundaries. While presented as a 'solution' for multi-agent orchestration, this capability represents a significant vulnerability, allowing arbitrary file system access and command execution if the agent is compromised or misdirected, which is a high-risk behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could modify another agent's task queue or read files outside its intended workspace, bypassing path-boundary controls the user may expect to protect them.
The skill tells agents to use shell commands as an escape hatch for cross-workspace reads/writes instead of the scoped OpenClaw Write tool.
沙箱限制 | Write 工具只能写 workspace 内,跨 workspace 必须用 bash ... 必须用 bash 命令写任务文件,不要用 Write 工具!
Avoid automatic shell-based cross-workspace access. Use a dedicated handoff directory or scoped API, hard-code allowed paths, and require user approval for cross-workspace shell reads and writes.
Bots may keep sending messages, assigning tasks, or changing repositories after the original user interaction is over.
The skill instructs agents to keep operating through cron and to create or continue work even when no user-supplied task is pending.
持续工作 | cron 高频触发 + HEARTBEAT.md 指示做完一件做下一件 ... 没有待办时自主开发新游戏 ... 不要停,保持持续产出
Make recurring jobs explicitly opt-in, set narrow schedules and time limits, require approval before external messages or Git pushes, and document how to disable every cron job.
Anyone following the guide gives the automation access to Feishu bot credentials and may let browser automation act through an already-authenticated account.
Feishu app secrets and reuse of a logged-in browser session are expected for Feishu bot setup, but they are sensitive account authority.
"appSecret": "secret_aaa" ... 用 `agent-browser --cdp-endpoint` 连接已登录浏览器,循环创建+配置
Use least-privilege Feishu apps, store secrets outside shared files, avoid broad admin sessions for automation when possible, and rotate credentials if the setup is no longer needed.
If another process or user can edit these files, they can steer future agent behavior across sessions.
Persistent task files and agent instruction files become reusable context that future cron runs and agents will trust.
任务队列 | 每个下属 workspace 下 `tasks/pending/` + `tasks/done/`; 配置包工头 SOUL.md; 配置下属 HEARTBEAT.md
Restrict filesystem permissions, review pending tasks before cron consumes them, and treat SOUL.md and HEARTBEAT.md as privileged configuration.
A mistaken or unsafe task can propagate across multiple agents, sessions, workspaces, and remote Git repositories.
A request can flow from Feishu to the foreman, then to task files, then to subordinate agents that may make remote repository changes.
用户 ──飞书──→ 包工头(main) ──任务文件──→ buyer / kb / gf ... 执行任务(cd game-factory && git pull → 开发 → commit && push)
Add containment: per-agent allowlists, staging branches, human review before pushes, and limits on which Feishu users can trigger or enqueue work.