feapder
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feapder Version: 1.0.0 The skill bundle provides a comprehensive environment for the feapder 1.9.2 crawling framework. While the instructions in SKILL.md and the project templates are aligned with the stated purpose of assisting in spider development, the core framework code contains critical security vulnerabilities. Specifically, request.py, task_spider.py, and batch_spider.py utilize the eval() function to deserialize data retrieved from Redis or local caches. This pattern introduces a significant Remote Code Execution (RCE) risk if the underlying data sources are compromised. No evidence of intentional malice, data exfiltration, or prompt injection was identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a project runs this kind of code against attacker-controlled Redis/MySQL task data, a crafted task string could execute Python code.
The vendored feapder reference implementation contains dynamic evaluation of task data. It is not auto-run by this instruction-only skill, but it is an unsafe pattern if the upstream code or copied logic processes untrusted task strings.
tasks = [eval(task) for task in tasks]
Do not copy eval-based parsing into new spider code. Prefer json.loads or ast.literal_eval, and only run feapder 1.9.2 task/debug flows against trusted data or patched code.
Running generated batch crawler code against the wrong database or Redis namespace could mark many tasks complete or failed incorrectly.
The documented BatchSpider workflow includes updating task state in backing storage. This is expected for feapder batch crawlers, but it is still a database/queue mutation when generated code is run.
yield self.update_task_batch(request.task_id, 1) # 更新任务状态为1
Review redis_key, task_table, task_state, and database settings before running generated spiders, and test against a non-production environment first.
Copying authenticated browser curl commands into prompts, scripts, or shell history can expose session cookies.
The debugging documentation shows raw curl commands that may include session cookies. This is a normal crawler-debugging technique, but cookies are sensitive credentials.
feapder shell --curl 'https://www.baidu.com/' ... -H 'Cookie: PSTM=...; BDUSS=...'
Redact cookies and authorization headers before sharing prompts or committing code, and use temporary test sessions when debugging authenticated pages.