Back to skill
Skillv1.0.3
VirusTotal security
feishu-doc-reviewer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:25 AM
- Hash
- 0afbe5fea2fd2dc17ac56de9402e626e96fe4d0aa7182bfbc23097a914244742
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishu-doc-reviewer Version: 1.0.3 The skill bundle provides legitimate Feishu (Lark) document management capabilities but contains a critical command injection vulnerability in `run-tool.sh`. The script uses `python3 -c` to execute Python code containing unsanitized shell variables (`$NEW_TEXT`, `$CONTENT`), which allows for arbitrary Python code execution if an attacker provides a crafted document comment or input. While no clear evidence of intentional malice (like data exfiltration to third parties) was found, the high-risk execution pattern in `run-tool.sh` and the broad document write permissions required make it a significant security risk.
- External report
- View on VirusTotal