Is gaowanqi08141999/feishu-bitable-creator safe?

https://github.com/openclaw/skills/tree/main/skills/gaowanqi08141999/feishu-bitable-creator

88
SAFE

The feishu-bitable-creator skill is a documentation-only SKILL.md with no install-time executable code, no git hooks, no malicious network connections, and no canary file exfiltration. Its primary security concerns are architectural rather than malicious: the required drive:permission:manage Feishu permission is broader than necessary for the stated scope, and the skill's reliance on conversation-context for the admin user_id creates a weak trust boundary that could be exploited by a co-active malicious skill or injected content. No evidence of intentional malice was found in the skill content or runtime behavior.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Overly broad drive:permission:manage scope -12

The skill declares drive:permission:manage as a required Feishu app permission. This permission applies to all documents in the Drive, not just tables created by this skill. An agent following the skill's addBitableAdmin() pattern could theoretically re-share any document whose app_token is known to the agent session.

MEDIUM user_id sourced from conversation context enables admin escalation via prompt manipulation -15

The addBitableAdmin() step requires a user_id 'obtained from conversation context'. This means any text in the conversation that claims to be a Feishu openid could be accepted. A malicious document fetched via a browser skill, or a crafted user message, could inject an attacker-controlled ou_ identifier, causing the agent to grant full_access on the created Bitable to an external party without the legitimate user realizing it.

LOW All agent-created data flows to Feishu (open.feishu.cn) servers -8

Any table name, field values, or record content the agent populates via this skill is transmitted to Feishu's cloud. This is the skill's stated purpose, but users should be aware that sensitive data included in Bitable records leaves the local environment.

LOW user_id sourcing instruction is loosely scoped -7

The skill instructs the agent to retrieve user_id from 'conversation context or Feishu user profile' without specifying a verified source. This is not prompt injection in the skill itself, but creates a weak spot if conversation context is tainted by a co-active malicious skill or document.

LOW External documentation URLs referenced in setup instructions -5

SKILL.md references https://docs.openclaw.ai/channels/feishu and https://open.feishu.cn/app. These appear in setup prose, not as agent commands, so risk of agent fetching them unsolicited is low. They are noted for completeness.

INFO Install-time network activity limited to GitHub -5

The only external TCP connection during install was to 140.82.121.4:443 (GitHub) for the monorepo sparse-checkout. No connections to attacker infrastructure were observed.

INFO Canary file reads attributed to audit framework, not skill 0

inotify and auditd recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Timestamp correlation (1771908402.948 = monitoring start; 1771908420.582 = post-install canary check) and the absence of any EXECVE attributable to skill-installed code confirm these reads are from OATHE's own baseline and verification routines. Honeypot verifier confirms all files intact.