Back to skill
Skillv1.0.0
VirusTotal security
feishuFindDoc · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:42 AM
- Hash
- 031ea434b7c205a8e284c0bfcdeee51c614836d8f079cf6ee983083c0c2667f0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishu-doc-finder Version: 1.0.0 The skill's primary function is to find and download files from Feishu, which aligns with its description. It accesses `FEISHU_APP_ID` and `FEISHU_APP_SECRET` from environment variables, which is necessary for its operation, and there is no evidence of exfiltration. However, the `index.js` script constructs the output file path using `path.join(options.output, fileName)`. If the `fileName` retrieved from the Feishu API contains path traversal sequences (e.g., `../../evil.sh`), a malicious file could be written outside the intended output directory. This represents a potential path traversal vulnerability, classifying the skill as suspicious due to this risky capability, even though there's no clear evidence of intentional malicious behavior by the developer.
- External report
- View on VirusTotal