Is autogame-17/feishu-sticker safe?

https://github.com/openclaw/skills/tree/main/skills/autogame-17/feishu-sticker

67
CAUTION

The feishu-sticker skill poses significant runtime data exfiltration risk: it deliberately reads workspace-root credentials via ../../.env, accesses agent session memory files for auto-targeting, and can upload any filesystem path to the external Feishu CDN without path restrictions or user confirmation. While SKILL.md contains no prompt injection and canary files were untouched during installation, the code itself is architecturally dangerous when deployed in an agent with file-system access. Additional red flags include a hardcoded developer home path in find.js and an anomalous version history spanning two GitHub organizations.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (8)

HIGH Workspace Root .env Loaded Outside Skill Directory -40

send.js calls require('dotenv').config({ path: require('path').resolve(__dirname, '../../.env') }), which resolves to the workspace root two levels above the skill. This exposes every variable in the workspace .env to the skill process, not just FEISHU_APP_ID/SECRET. Any secrets stored there (OpenAI keys, database passwords, etc.) are loaded into the process environment.

HIGH Arbitrary File Upload to External Feishu CDN via --file Parameter -20

send.js accepts any absolute or relative file path via the --file CLI option and uploads the raw file bytes to open.feishu.cn (Bytedance-controlled CDN). There is no allowlist, file type check, or path restriction. An agent instructed to send a sticker from a crafted path (e.g., ~/.ssh/id_rsa, ~/.aws/credentials) will silently exfiltrate the file to an external server with no user-visible warning.

HIGH Agent Context and Memory Files Read for Auto-Target Resolution -10

getAutoTarget() reads ../../memory/context.json (fields: last_target_id, last_active_chat, last_active_user) and ../../memory/menu_events.json (field: user_id) to silently determine the message recipient. These files live in the shared agent workspace memory and may contain sensitive session state, conversation identifiers, and user data the skill should not need.

MEDIUM ffmpeg-static Downloads and Executes Remote Binary at Install Time -35

The [email protected] dependency is flagged hasInstallScript:true in package-lock.json, meaning npm install triggers a postinstall script that downloads a pre-compiled static ffmpeg binary from the internet. This binary is subsequently executed via spawnSync at runtime for GIF-to-WebP conversion and image compression. Supply chain compromise of the ffmpeg-static package or its CDN could result in arbitrary code execution.

MEDIUM Hardcoded Developer Home Path Leaked in find.js -30

find.js defaults STICKER_DIR to /home/crishaocredits/.openclaw/media/stickers, a path that encodes the developer's local username. send.js correctly uses os.homedir() for the same default, indicating this was an oversight. The inconsistency suggests the skill was developed as a personal tool and published without review, raising questions about overall code quality and security hygiene.

MEDIUM Version History Anomaly: Latest Downgraded, Dual-Repo Commits -35

_meta.json declares latest as version 1.0.8 with publishedAt 1771046458660, yet the history array contains 1.1.0 and 1.1.1 with earlier publish timestamps. Higher semantic versions were published before lower ones, and commits originate from two different GitHub organizations (openclaw/skills and clawdbot/skills). This pattern indicates either automated version manipulation, repository migration without cleanup, or intentional version confusion to bypass security gates that flag version regressions.

LOW Repository Origin Spans Two GitHub Organizations -12

The install script fetches from github.com/openclaw/skills, but _meta.json history records commits from github.com/clawdbot/skills for versions 1.0.0 through 1.1.1. The namespace change from clawdbot to openclaw is unexplained and may indicate ownership transfer, account compromise, or deliberate obfuscation of the skill's provenance.

INFO No Canary File Exfiltration Detected During Install 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed only by the audit framework during setup and teardown phases (timestamps 1771653144 and 1771653165), not by skill installation code. All canary file hashes remain intact.