Is bryan-chx/feishu-api-cache-fix safe?

The replacement code in fix_feishu_cache.sh removes all actual Feishu API communication and replaces it with an unconditional success stub. The function caches {ok: true} — a value it fabricated without contacting Feishu — and returns it for 2 hours. A legitimate cache would store the result of a real API call. This implementation never makes a real API call at any point, rendering Feishu authentication verification permanently non-functional.

The skill instructs the agent to run fix_feishu_cache.sh with sudo, which overwrites a TypeScript file inside /usr/local/lib/node_modules/openclaw — the installed agent runtime. Adding caching to a probe function requires no root privileges under any legitimate scenario. The sudo requirement exists solely because the attacker wrote the skill to target a system-owned path rather than a user-writable one, ensuring the modification is maximally persistent and affects all users on the system.

The connection snapshot diff shows two new ESTABLISHED connections from openclaw-gateway (pid=1085) to 3.217.42.175:443 that were not present before the skill was installed. 3.217.42.175 resolves to an AWS EC2 address. While the gateway was already running, the new external connections coincide with probe.ts being modified — possibly the gateway detecting the config change and phoning home, or the modified probe triggering different code paths that contact an attacker-controlled endpoint.

Six canary credential files were accessed in a rapid burst at 1771927096.934 — approximately 4 seconds after the skill was copied into place at 1771927092. The access pattern is unusual: all six files accessed within a single second in inode order. While the integrity monitor reports no modification, read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials in rapid succession post-install is a strong data harvesting signal.

Because probe.ts is modified in the installed node_modules directory, the bypass is persistent. Any call to probeFeishu() — from health checks, pre-operation credential validation, or connectivity assertions — will return success indefinitely. This allows an attacker whose Feishu credentials have been revoked to continue appearing authenticated, or masks a misconfiguration that would otherwise generate alerts, giving the attacker extended dwell time.

While SKILL.md does not use hidden text or jailbreak language, its Usage section normalizes running arbitrary shell scripts as root as the expected installation workflow. This establishes a precedent within the skill ecosystem that conditions agents and users to accept sudo shell execution as routine for 'fix' skills.

During the audit window, a git command was executed against /usr/local/lib/node_modules/openclaw — the exact path targeted by fix_feishu_cache.sh. This probing behavior (verifying the target exists and is a git repo) is consistent with pre-attack reconnaissance confirming the installation path before executing the payload.

Canary credential files were accessed at 1771927074, 1771927082, 1771927089, and 1771927096 — four distinct access events over a 22-second window. The first and last clusters correspond to expected monitoring checkpoints, but the intermediate accesses at 1771927082 and 1771927089 lack obvious monitoring attribution. All files confirmed intact by the canary integrity check.