SDF COM Bridge
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its chat-bridge purpose, but it uses an existing SSH login and can let Feishu text commands post or private-message through that account without visible sender checks.
Install only if you understand that it will use an existing SDF SSH login and may relay Feishu commands into COM. Configure the account and room deliberately, restrict who can send Feishu commands, monitor/clear the local queue and state files, and stop the bridge when it is no longer needed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone whose Feishu message reaches the bridge may be able to make the connected SDF COM account post publicly or send private messages.
The bridge turns raw Feishu message text into COM send/private-message actions, but the artifacts do not show sender, channel, allowlist, or confirmation checks before producing those actions.
def parse_instruction(self, text: str) ... if text.startswith(self.PRIVATE_PREFIX): ... FeishuCommand.SEND_PRIVATE ... if text.startswith(self.CHAT_PREFIX): ... FeishuCommand.SEND_CHAT
Restrict the bot to trusted Feishu chats, validate sender and channel IDs, and require explicit approval or allowlists for private messages and public posting.
Running the bridge can act through the user's existing SSH configuration/session and may post to COM as that account.
The bridge relies on a local authenticated SSH context for a hard-coded default account/host. The registry metadata declares no primary credential, required config path, or required binary, so the account/session authority is under-declared.
def __init__(self, user: str = "yupeng", host: str = "sdf.org" ... self.socket_path = ... "~/.ssh/sockets/{user}@{host}" ... cmd = ["ssh", f"{self.user}@{self.host}"]Declare the SSH/session requirement clearly, make the account configurable, use the intended ControlMaster socket explicitly, and require the user to confirm which account will be used.
Untrusted chat text or locally planted queue files could be processed as translation work by the agent, and chat contents may remain on disk until handled.
Translation requests are exchanged through a shared local JSON queue intended for the main agent, with no origin/authentication checks or clear retention policy shown.
QUEUE_DIR = Path.home() / ".openclaw/workspace/.com-translation-queue" ... for f in QUEUE_DIR.glob("*.json"): ... data = json.load(fp) ... requests.append(data)Treat queued text as untrusted data, restrict directory permissions, validate request schema/origin, separate chat content from instructions, and clean stale queue files.
The bridge may keep relaying or processing messages until it is explicitly stopped or the process exits.
The bridge starts background loops for real-time message and translation handling. This is purpose-aligned, but users should know it continues operating while the process runs.
self._read_thread = threading.Thread(target=self._process_loop, daemon=True) ... self._translate_thread = threading.Thread(target=self._translation_loop, daemon=True)
Provide a clear stop command/status indicator and document how to shut down the bridge and clear queued state.
It may be harder to verify where this exact packaged version came from.
The embedded metadata does not match the registry owner/version exactly and the listing has unknown source/homepage. This is a provenance note, not proof of unsafe behavior.
"ownerId": "local", "slug": "sdf-com-bridge", "version": "2.0.0-patched"
Verify the publisher/source before running, and prefer packages with consistent metadata and a public repository or signed release history.