ClawHub

Feishu Evolver Wrapper Local

Security checks across malware telemetry and agentic risk

Overview

This Feishu evolver wrapper has coherent goals, but it also runs agents, changes and pushes repository state, manages recurring jobs, and sends operational data externally with insufficient scoping and safeguards.

Install only if you intentionally want an autonomous evolver wrapper that can run OpenClaw agents, alter local skill/workspace files, push commits to a remote git repository, maintain watchdog cron jobs, and send logs/reports/history to Feishu. Review the environment variables and Feishu targets first, use a dedicated repository or branch, and avoid running it in workspaces containing secrets or unrelated private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (36)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises no declared permissions even though it uses environment access and networked Feishu integration. That mismatch reduces user visibility into sensitive capabilities and can lead operators to invoke the skill without understanding it can read environment-provided secrets or transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is a Feishu reporting wrapper, but the observed behavior includes autonomous git operations, repository self-repair, spawning subprocesses, modifying files, and exporting data to Feishu Docs. This is dangerous because users may grant trust based on the narrow description while the skill can alter source control state, execute broader automation, and exfiltrate project history or metadata to external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This health-check script performs state-changing actions instead of only assessing and reporting status: it creates a temp directory and deletes an error log. That is dangerous because health checks are often run automatically and trusted as side-effect-free, so these hidden mutations can alter operational state, erase forensic evidence, and make failures harder to investigate.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script automatically deletes evolver error logs older than 24 hours, even though log retention is unrelated to Feishu integration health validation. This can destroy debugging and audit data, conceal prior failures, and is especially risky because the path search spans multiple nearby evolver directories, increasing the chance of deleting operationally important logs during routine checks.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This module exposes a generic shell execution primitive that accepts arbitrary command strings and executes them via child_process.exec. In a Feishu/evolution-loop management wrapper, that capability is broader than the stated purpose and creates a command-injection/RCE risk if any upstream input can influence the command, while the cache may also replay sensitive command output to repeated callers.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The function silently falls back to process.env.OPENCLAW_MASTER_ID when no explicit target is provided, creating ambient, environment-dependent message routing. In a messaging helper, this can cause sensitive operational reports or user-provided content to be sent to an unintended recipient without the caller realizing it, especially in automated or multi-tenant environments.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The wrapper claims to manage lifecycle/reporting, but it stages files, creates commits, pulls/rebases, and pushes to a remote repository. That materially expands its authority from orchestration into persistent code and data mutation, creating a supply-chain and integrity risk if triggered unexpectedly or with unsafe content. In this context, automatic remote sync is especially dangerous because the skill can turn agent-produced changes into durable upstream commits without explicit approval per run.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The wrapper does more than delegate to a core evolver: it extracts task payloads, rewrites task content, injects directives, and launches a separate OpenClaw hand agent. This creates an unbounded control plane where wrapper-authored instructions can materially alter downstream agent behavior, broadening the attack surface beyond the stated wrapper role. In a security-sensitive agent environment, hidden orchestration and task rewriting increase the chance of unsafe autonomous actions.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
If JSON parsing fails, the code falls back to `new Function('return (' + sanitized + ')')()` on agent-produced payload text. That is arbitrary code execution on untrusted input, meaning a malicious or compromised child agent output could run attacker-controlled JavaScript inside the wrapper process with its filesystem, network, and git privileges. Given this wrapper can push to git and send network reports, compromise impact is severe.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code grants edit access on a newly created Feishu document to an identity taken directly from the OPENCLAW_MASTER_ID environment variable. If that environment variable is misconfigured, attacker-controlled, or inherited from an untrusted runtime, sensitive issue reports may be shared with the wrong external principal and remain persistently accessible.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The wrapper does more than lifecycle/reporting: it provisions and edits OpenClaw cron jobs, which expands its authority to persistent host scheduler management. In this skill context, that is security-relevant because a Feishu-integrated wrapper can silently establish persistence and recurring execution beyond the user’s immediate command.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill executes external OpenClaw CLI commands to inspect, add, and edit cron jobs, which is broader system control than its stated Feishu reporting and evolver wrapper duties imply. Even if intended for reliability, this creates persistence and host-state modification capabilities that could be abused or surprise operators.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The monitor does not merely inspect skills; it automatically mutates other skill directories by running package installation and creating files. That expands its authority from observation to code and filesystem modification, creating a supply-chain and integrity risk if an untrusted or malformed skill is present.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code executes Node against each discovered skill entry point to test dependency resolution, and later may run npm install in those directories. Requiring a skill can execute arbitrary top-level code from an untrusted package, and npm install can trigger lifecycle scripts, so this turns monitoring into arbitrary code execution against discovered content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically creating SKILL.md files modifies unrelated skill directories without consent. While lower severity than code execution, it can overwrite intended repository state, interfere with workflows, and normalize unauthorized cross-skill mutation in a component whose stated purpose is Feishu/evolver integration rather than repository repair.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description mentions Feishu reporting and history export but does not clearly warn that operational history and related data may be transmitted to external Feishu services. In this context, the omission matters because evolution logs, issue history, and repository-derived metadata may contain sensitive internal information that operators would not expect to leave the local environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Silently creating the temp directory introduces an undisclosed side effect in a script expected to validate health status. While lower impact than log deletion, it can mask deployment/configuration problems, surprise operators, and normalize unexpected write behavior from a monitoring component.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Silently deleting stale error logs without any disclosure removes potentially important evidence and can hide recurring failures from operators. In the context of a wrapper that manages an evolution daemon, this is more dangerous because health and incident signals are central to safe operation, so undisclosed log removal undermines observability and accountability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a local evolution log and uploads its contents to Feishu, but it provides no consent prompt, redaction, sensitivity check, or clear warning about external transmission. Because logs often contain prompts, internal state, file paths, stack traces, or secrets, this can leak sensitive workspace data to a third-party service unintentionally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This fallback sends a Feishu message to OPENCLAW_MASTER_ID without any user-facing disclosure, so callers may believe no message is sent when target is omitted. In the context of a Feishu reporting wrapper that may handle evolver status, dashboards, and rich card content, this increases the chance of confidential status data or reports being exfiltrated to an unintended account configured in the environment.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The wrapper writes task/status files and deletes stale lock files automatically, including under a user home directory path, without explicit confirmation or disclosure. While some of this is operational hygiene, silent modification/deletion of local state can disrupt other processes, destroy forensic context, or interfere with user expectations in multi-process environments.

Missing User Warnings

High
Confidence
95% confidence
Finding
The logging/reporting pipeline forwards messages, errors, summaries, and task-derived content to Feishu targets, but the code provides no meaningful disclosure or consent barrier before external transmission. Because forwarded content may include agent output, failure details, and operational context, this can leak sensitive data to third-party messaging infrastructure or unintended chat recipients.

Missing User Warnings

High
Confidence
97% confidence
Finding
The wrapper executes multiple subprocesses and performs `git add`, `commit`, `pull --rebase`, and `push` automatically without explicit per-execution warning or approval. This can transform autonomous agent output into persistent local and remote repository changes, creating integrity, provenance, and operational risk if the wrapper is triggered unexpectedly or manipulated through downstream content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Issue data and free-form context are written to a temporary markdown file in the OS temp directory before upload. That creates a local disclosure surface because temp directories may be accessible to other local users, backed up, or left behind if cleanup fails, exposing potentially sensitive operational or user-derived content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends issue signals and optional context to Feishu through a helper script with no apparent consent, warning, or content classification. Because extraContext is free-form and may include sensitive operational data, this creates an external data exfiltration path that is especially relevant in a reporting/integration skill designed to persist and share diagnostics.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal