Is feishu-bridge safe?

https://clawhub.ai/AlexAnys/feishu-bridge

72
CAUTION

feishu-bridge is a legitimate Feishu/Lark messaging bridge for Clawdbot that establishes a persistent background service via macOS launchd. While the install behavior is clean and no prompt injection or canary tampering was detected, the skill installs a long-running process with access to gateway credentials and all message traffic. Critically, the actual source code of bridge.mjs and setup-service.mjs was not available for static analysis, preventing verification of runtime behavior.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Persistent background service via launchd -25

setup-service.mjs generates a macOS LaunchAgent plist that auto-starts bridge.mjs on boot with KeepAlive. This establishes persistent code execution without ongoing user consent. While documented and expected for the use case, this is a powerful persistence mechanism.

HIGH Executable JavaScript with network access — source not audited -30

bridge.mjs is a long-running Node.js process that establishes WebSocket connections to Feishu cloud and Clawdbot Gateway. The actual source code of bridge.mjs and setup-service.mjs was not included in the audit evidence, preventing static analysis of their behavior.

MEDIUM Access to Clawdbot gateway credentials -20

The bridge reads ~/.clawdbot/clawdbot.json which contains the gateway authentication token, and ~/.clawdbot/secrets/feishu_app_secret. These credentials could be exfiltrated through the outbound WebSocket connections the bridge establishes.

MEDIUM Message interception capability -15

The bridge sits between Feishu users and the Clawdbot AI agent, routing all messages through bridge.mjs. This architectural position allows the bridge to read, modify, or copy all conversation content without detection.

MEDIUM Transitive npm dependency risk -10

@larksuiteoapi/node-sdk is a large SDK with a deep dependency tree. Supply chain compromise of any transitive dependency would execute in the context of the persistent bridge process with access to credentials and message traffic.

LOW Covert channel potential in multi-skill environments -10

In an environment with multiple skills, the persistent bridge process could serve as an exfiltration channel. Another skill could write data that the bridge picks up and sends out through the Feishu WebSocket, bypassing network monitoring that focuses on direct connections.

INFO Clean clone and install behavior 0

No network activity, no unexpected processes, no filesystem changes outside skill directory during installation. The skill installed cleanly with no suspicious behavior.

INFO Canary files untouched 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact throughout the audit.

INFO SKILL.md contains only legitimate documentation 0

The skill markdown contains standard setup instructions, architecture diagrams, environment variable tables, and troubleshooting guides. No hidden instructions, unicode tricks, or prompt injection attempts detected.