ClawHub

Feishu Evolver Wrapper (Fixed)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Feishu evolver wrapper, but it gives itself broad unattended authority to run agents and commands, modify and push repository changes, repair other skills, persist as a watchdog, and send local operational data to Feishu.

Install only in a dedicated OpenClaw workspace where automatic code changes, background watchdogs, Feishu exports, and git pushes are acceptable. Configure Feishu targets explicitly, avoid running it against untrusted skill directories, and review or disable the git sync, skills monitor auto-heal, cron/daemon, and history export paths before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions even though its documented and inferred behavior requires environment access and network communication. This creates a transparency and review gap: operators may approve or run the skill without understanding that it can read sensitive configuration and communicate externally, which is especially risky given its Feishu integration and daemon-style management role.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose presents the skill as a Feishu reporting and lifecycle wrapper, but the detected behavior extends into autonomous git operations, subprocess spawning, watchdog persistence, self-repair, signal-file control, and modification of other skills. This mismatch is dangerous because it hides materially more powerful capabilities than a user would reasonably expect, increasing the chance of unauthorized persistence, unintended code changes, external data exfiltration, or broad system manipulation under the guise of routine lifecycle management.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This health-check script performs state-changing actions by creating the temp directory and deleting an error log, which violates the expected read-only nature of a diagnostic check. In an automation context, this can hide operational problems, destroy forensic evidence, and produce side effects when the caller only intended to assess status.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script searches neighboring evolver directories and deletes evolution_error.log files older than 24 hours, even though this behavior is unrelated to validating Feishu integration health. That broadens the script's authority and can erase evidence of failures or abuse, especially because it targets external component logs based on filesystem layout rather than a narrowly scoped Feishu resource.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comments describe the file as a health-requirements check, but the implementation silently creates directories and deletes files. This mismatch is dangerous because operators and upstream callers may trust the script as non-invasive, leading them to run it in contexts where silent mutation and cleanup are inappropriate.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This file introduces a generic shell-command execution primitive via child_process.exec and exports it for reuse, which materially expands the skill's capability beyond simple Feishu reporting or wrapper orchestration. Because exec runs through a shell, any upstream untrusted input can become command injection, and the cache can also replay sensitive command output to later callers for up to one minute.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The wrapper performs broad git add/commit/pull/push operations across workspace paths, which exceeds its declared Feishu lifecycle/reporting role and gives it repository mutation and exfiltration capability. In this context, automatic pull/rebase/push can overwrite local state, publish unintended changes to a remote, and turn a reporting wrapper into an autonomous code publisher.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The wrapper launches an additional OpenClaw hand agent and appends its own directives to the task, materially expanding its authority beyond simple delegation/reporting. That creates an unexpected second execution path where the wrapper can steer agent behavior, cause extra actions, and bypass assumptions that only the core evolver is acting.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The code falls back to `new Function('return (' + sanitized + ')')()` on agent-generated payloads, which is effectively code execution on untrusted LLM output. Any attacker who can influence that payload can execute arbitrary JavaScript in the wrapper process, leading to full local compromise, credential access, filesystem abuse, and command execution through existing child-process capabilities.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The wrapper reaches into a user home-directory OpenClaw session lock file and deletes it if deemed stale, which is outside its stated Feishu wrapper scope and can interfere with unrelated sessions. Cross-component lock deletion is dangerous because stale-lock heuristics are imperfect and can corrupt coordination or break another process's safety guarantees.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The wrapper automatically manages external OpenClaw cron jobs, which exceeds a narrow Feishu-reporting/lifecycle role and introduces persistent system-side effects. Because this happens during normal lifecycle operations, the skill can modify scheduler state without explicit operator consent, increasing operational and security risk in shared environments.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code enumerates processes via /proc and terminates matching daemon-loop processes outside a direct child-process handle. Broad process discovery and killing based on command-line substring matching can affect unintended processes, especially in multi-user or multi-instance environments, causing denial of service or unsafe interference.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This module directly mutates the local Git repository by aborting rebases/merges, deleting .git/index.lock, and fetching from origin, which exceeds the stated Feishu reporting/lifecycle wrapper role. Even without obvious attacker-controlled input, unattended repository repair can discard in-progress state, interfere with concurrent Git operations, and create integrity/availability risks if invoked at the wrong time or in the wrong workspace.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The shell-based emergency Git repair capability is materially outside the declared purpose of a Feishu-integrated wrapper and increases the attack surface by granting code the ability to perform repository state changes through execSync. In an agent context, hidden operational capabilities are dangerous because they can be triggered unexpectedly, affect source integrity, and mask destructive behavior as 'self-repair' during failures.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The monitor is not read-only: it automatically modifies other skill directories by running package installation and creating files. In a security-sensitive environment, a monitoring tool that mutates untrusted targets expands the attack surface and can trigger unintended code execution paths or persist changes without operator approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Running `npm install` inside arbitrary skill directories is dangerous because package installation can execute lifecycle scripts from untrusted packages or local package definitions. Since this is done automatically during monitoring, a crafted skill can turn a scan into code execution with the monitor's privileges.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The code executes another skill's entry point via `node -e require(...)` to test dependency resolution. Requiring an untrusted module runs its top-level code immediately, so any malicious skill can execute arbitrary commands during a mere health check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Deleting stale error logs without any user-facing disclosure reduces transparency and can suppress evidence needed for troubleshooting, incident response, or audit review. In a daemon-management wrapper, such silent cleanup is more dangerous because the script may run automatically and repeatedly, causing unnoticed loss of diagnostic history.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code launches subprocesses silently with no user-facing disclosure, confirmation, or logging at the execution point. In a skill intended for Feishu-integrated management, hidden command execution increases operational risk because users may trigger system-level actions without understanding that shell commands are being run.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script reads an evolution log from local storage and uploads its contents to Feishu without any confirmation, redaction, classification, or warning to the operator. Because logs commonly contain prompts, system messages, internal state, file paths, errors, or even secrets, this creates a real data-exfiltration risk to a third-party service, especially in an agent/evolver context where logs may be highly sensitive.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
If no explicit target is provided, the function silently falls back to OPENCLAW_MASTER_ID and proceeds to send the message. In a wrapper that manages evolution lifecycle and Feishu reporting, this can cause unintended disclosure of operational status, logs, or report content to a default recipient without the caller realizing it, especially in automation or CLI contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The wrapper executes subprocesses and automatically commits/pulls/pushes without clear user-facing confirmation, so users may trigger impactful repository actions without informed consent. In a skill advertised as Feishu integration/lifecycle management, this mismatch makes the behavior more dangerous because operators may not expect code publication side effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Runtime messages and errors are forwarded to Feishu groups without a strong user-facing disclosure of what data leaves the process. Since logs may contain task content, file paths, errors, or operational details, this can leak sensitive information to external chat targets, especially when targets are environment-driven.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code writes issue and context data to a predictable temporary markdown file in the system temp directory before uploading it. Even if the file is short-lived, it may contain sensitive operational details and can be exposed to other local users, backup/indexing processes, or left behind if the process crashes before cleanup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function transmits issue signals and optional context to Feishu through a subprocessed append script with no validation, minimization, or consent gate in this component. In this skill's context, the data may include internal error details, session summaries, or other sensitive evolution-loop telemetry, creating a real risk of unintended external disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal