ClawHub

SDF COM Bridge

v2.0.0

Bridge between SDF COM chatroom and Feishu-Lark messaging platform. Supports bi-directional message translation between English and Chinese, command executio...

0· 271·0 current·0 all-time
byYuKaiXu@ykaixu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements an SSH-based bridge, terminal parsing, and a file-queue translation flow that fit the described SDF COM ↔ Feishu bridging purpose. However, the skill's metadata/requirements declare no config paths or credentials, yet the code requires an existing SSH ControlMaster socket (~/.ssh/sockets/<user>@<host>) and creates/uses ~/.openclaw/workspace directories for state, queues, and logs. These items are expected for an SSH bridge but should have been declared.
!
Instruction Scope
SKILL.md instructs running the Python scripts and even calls a test that triggers an 'ssh -O check' subprocess; it does not disclose that the runtime will create and write state, error logs, translation queue/results in ~/.openclaw/workspace, or that it will spawn an ssh subprocess using your keys/config. The main translation loop expects an external 'main agent' to poll and complete translations via files — SKILL.md mentions this but the mechanism is not prominent. The SKILL.md also instructs editing main.py with usernames which could cause unintended connections if misconfigured.
Install Mechanism
There is no install spec (instruction-only); dependencies are a small pinned set (pyte, pyte-screen) listed in requirements.txt. No remote download/install URLs are used. This is lower risk, but note the included code will be executed locally when 'python scripts/main.py' is run.
!
Credentials
The skill requests no environment variables in metadata, yet the code accesses and creates several paths under the user's home (~/.ssh/sockets for the SSH ControlMaster socket and ~/.openclaw/workspace/.com-bridge, .com-translation-queue, .com-translation-results). It also runs the local 'ssh' binary (via subprocess) and will reuse the user's SSH control socket and keys. These are reasonable for an SSH chat bridge but are not declared and grant the skill access to persistent files and your SSH agent/context.
Persistence & Privilege
The skill creates persistent state and queue files in the user's home (~/.openclaw/workspace) and writes an error log; it does not request always:true nor modify other skills. Persistent files are within its own directory structure, but this persistence (and the fact it will reuse an SSH ControlMaster socket) increases blast radius if misused.
What to consider before installing
This skill's code largely matches a legitimate SSH-based chat bridge, but it omits important runtime details in metadata. Before installing or running it: - Review and accept that it will attempt to reuse your SSH ControlMaster socket (~/.ssh/sockets/<user>@<host>) and will spawn 'ssh' locally. Ensure you understand which SSH identity and host will be used. - Inspect and be comfortable with files created under your home (it will create ~/.openclaw/workspace with state, logs, translation-queue and results). These persist between runs and may contain chat content. - The bridge will send arbitrary COM commands and messages to the remote host (based on Feishu 'com:' inputs). Only run it if you trust the remote host and the messages the bridge might send. - The translation flow relies on a cooperating 'main agent' to process queue files; without that component translations may be stubbed. Confirm how translations are produced and who/what has access to the queue/results directories. - For safety, run and test in an isolated environment (VM/container) and use a throwaway SSH identity if possible. Verify file permissions for the created directories and clean up files after testing. - If you plan to integrate with Feishu, note the provided code parses Feishu-like commands but does not include a networked Feishu client; any network integration should be audited separately. If you want, I can list the exact files/paths the skill writes and point out the lines that create or call them so you can audit them precisely.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ddb07jx6c10dr0kdfrp6gn822ez6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments