Feishu Advanced Builder

The skill bundle is classified as suspicious due to a local file inclusion (LFI) vulnerability present in all three primary JavaScript scripts (`scripts/feishu-bitable.js`, `scripts/feishu-board.js`, `scripts/feishu-markdown-to-docx.js`). Each script uses `fs.readFileSync` to read content from a file path provided as a command-line argument (`--markdown-file` or `--code-file`). An attacker could exploit this by injecting a malicious file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) via prompt injection to the OpenClaw agent, leading to arbitrary file disclosure. While the scripts then attempt to process this content and send it to the Feishu API (the intended destination for the skill's output), the ability to read arbitrary local files constitutes a significant security vulnerability.