ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Evolver Wrapper Local

Feishu-integrated wrapper for the capability-evolver. Manages the evolution loop lifecycle (start/stop/ensure), sends rich Feishu card reports, and provides...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 20 · 0 current installs · 0 all-time installs
by@muguozi1
fork of @autogame-17/feishu-evolver-wrapper (based on 1.7.1)
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code implements a Feishu integration and lifecycle/watchdog for an evolver (sending cards, creating Feishu Docs, exporting logs, running daemons). That aligns with the description. However the registry/metadata declares no required environment variables or primary credential, while the code clearly expects Feishu credentials and other environment values (FEISHU_APP_ID, FEISHU_BOT_NAME, FEISHU_EVOLVER_DOC_TOKEN, OPENCLAW_MASTER_ID, etc.). This discrepancy is unexpected and disproportionate: an integration skill should declare the API tokens it needs.
!
Instruction Scope
SKILL.md gives a small surface (run node index.js, lifecycle.js, visualize_dashboard.js), but the included runtime instructions (code) touch many system and workspace areas: reading memory/, logs/, assets/gep/events.jsonl, /proc, MEMORY.md, creating/removing PID and lock files, spawning background processes, and calling external CLI tools (openclaw, shell commands). The code also reads token files (memory/feishu_token.json) and uploads content to Feishu. The SKILL.md does not enumerate these behaviors or the sensitive files it reads, so the instruction scope is broader than the docs indicate.
Install Mechanism
No install spec is provided (instruction-only), which reduces installer risk. However, the bundle contains many executable JS scripts and a package.json with a local 'evolver' dependency (file:../evolver). There is no remote download in the install, but executing the included scripts will run non-trivial native operations.
!
Credentials
The registry declares no required env vars/credentials but the code expects and will use multiple sensitive environment variables and token files (FEISHU_APP_ID, FEISHU_BOT_NAME, FEISHU_EVOLVER_DOC_TOKEN, OPENCLAW_MASTER_ID, FEISHU token JSON in memory/feishu_token.json). The code attempts to scan for some secret patterns before sending, but the presence of many implicit/undeclared credentials and file reads is disproportionate and should be explicitly declared and justified.
Persistence & Privilege
The skill does not set always:true. It spawns background processes/daemons, writes PID and lock files under the workspace (memory/, logs/), and can self-start internal watchdogs. That behavior is consistent with a daemon wrapper, but it gives the skill the ability to persist as background processes within the host workspace—users should expect it to create/modify files and processes while running.
What to consider before installing
This package contains many runnable scripts that will read workspace files, create PID/lock/log files, spawn background processes, execute shell commands, and send data to Feishu using tokens that the code expects (FEISHU_APP_ID, FEISHU_BOT_NAME, FEISHU_EVOLVER_DOC_TOKEN, and/or memory/feishu_token.json). The skill metadata does not declare those required credentials—verify them before installing. Actions to consider before running: 1) Inspect or run the code in a sandbox or isolated container; 2) Confirm where your Feishu tokens would be stored and consider creating a restricted token with minimal permissions for testing; 3) Audit any missing modules referenced (../feishu-common, ../evolver) to ensure they are honest and available; 4) Search the repo for all places that read files (memory/, logs/, assets/) to understand what might be uploaded to Feishu; 5) If you do not trust the source, do not provide production credentials and run only in a throwaway environment. The skill appears to implement its claimed features, but the omission of declared credentials and broad system access make it worth manual review before use.
exec_cache.js:19
Shell command execution detected (child_process).
index.js:485
Shell command execution detected (child_process).
issue_tracker.js:64
Shell command execution detected (child_process).
lifecycle.js:98
Shell command execution detected (child_process).
report.js:131
Shell command execution detected (child_process).
self-repair.js:20
Shell command execution detected (child_process).
skills_monitor.js:65
Shell command execution detected (child_process).
index.js:1230
Dynamic code execution detected.
export_history.js:15
Environment variable access combined with network send.
visualize_dashboard.js:21
Environment variable access combined with network send.
!
export_history.js:23
File read combined with network send (possible exfiltration).
!
visualize_dashboard.js:143
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97560vnd0d9wn80ezdsc24wn9831qg0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Evolver Wrapper

A lightweight wrapper for the capability-evolver skill. It injects the Feishu reporting environment variables (EVOLVE_REPORT_TOOL) to enable rich card reporting in the Master's environment.

Usage

# Run the evolution loop
node skills/feishu-evolver-wrapper/index.js

# Generate Evolution Dashboard (Markdown)
node skills/feishu-evolver-wrapper/visualize_dashboard.js

# Lifecycle Management (Start/Stop/Status/Ensure)
node skills/feishu-evolver-wrapper/lifecycle.js status

Architecture

  • Evolution Loop: Runs the GEP evolution cycle with Feishu reporting.
  • Dashboard: Visualizing metrics and history from assets/gep/events.jsonl.
  • Export History: Exports raw history to Feishu Docs.
  • Watchdog: Managed via OpenClaw Cron job evolver_watchdog_robust (runs lifecycle.js ensure every 10 min).
    • Replaces fragile system crontab logic.
    • Ensures the loop restarts if it crashes or hangs.

Files

24 total
Select a file
Select a file to preview.

Comments

Loading comments…