Is leecyang/feishu-interactive-cards safe?

https://github.com/openclaw/skills/tree/main/skills/leecyang/feishu-interactive-cards

75
CAUTION

The feishu-interactive-cards skill is a functionally legitimate Feishu integration tool that suffered two critical security vulnerabilities at initial release (command injection and arbitrary file read), both patched on 2026-02-06, just 18 days before this audit. The install process was clean with no exfiltration or unexpected behavior detected. Primary concerns are the skill's extremely broad 'ANY uncertainty' behavioral override, its design of a persistent background long-polling process routing all user interactions through the OpenClaw Gateway, and the history of rapidly-patched critical vulnerabilities indicating immature security practices.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 76/100 · 25%
Code Execution 67/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (9)

HIGH Critical command injection vulnerability existed at initial release -20

CHANGELOG v1.0.1 documents a CRITICAL command injection vulnerability: callback handlers used exec({command: rm ${file}}) where file came from user-controlled card button value. An attacker could craft a card button value of '; rm -rf / #' to execute arbitrary commands. This was the initial implementation pattern and existed in v1.0.0.

HIGH Critical arbitrary file read vulnerability patched same day as command injection -13

CHANGELOG v1.0.2 documents a CRITICAL arbitrary file read in scripts/send-card.js via the --template parameter. An attacker could pass --template ~/.ssh/id_rsa to read any file on the system and send its contents to Feishu. Both critical patches landed on 2026-02-06, the day after initial release.

MEDIUM Overly broad activation condition overrides default agent behavior -20

The SKILL.md Core Principle section instructs the agent to send interactive cards instead of plain text 'when there is ANY uncertainty.' This is an extremely broad behavioral override that could cause the agent to route many normal interactions through Feishu card infrastructure, changing agent behavior across contexts far beyond the skill's stated purpose.

MEDIUM SKILL.md instructs agent to execute shell commands with interpolated user data -10

The Use in Agent section shows the correct pattern as exec() with ${chatId} directly interpolated into a shell command string. While chatId from Feishu is normally a fixed identifier, this teaches an unsafe shell interpolation pattern and expands the agent's attack surface by adding node script execution to its tool repertoire.

MEDIUM Gateway design aggregates all user interaction data to a central service -15

The callback server forwards every card interaction (user ID, open_id, union_id, action values, message IDs, chat IDs) to OpenClaw Gateway. While the default gateway is localhost:18789, the architecture is designed as a data aggregation pipeline. If gateway is misconfigured or compromised, all Feishu interaction metadata is captured.

MEDIUM Persistent long-polling background process with auto-reconnect -20

The callback server is designed to run permanently, establishing a long-polling connection to Feishu's infrastructure with automatic reconnection. This creates an always-on outbound network process that persists across agent sessions and requires separate lifecycle management.

LOW Hardcoded Windows-specific paths throughout SKILL.md -5

All script execution examples use hardcoded Windows paths (E:\openclaw\workspace). This means the skill was developed and tested only on a specific Windows installation and will silently fail on Linux/Mac, suggesting limited cross-platform security testing.

INFO Clean clone behavior with expected GitHub traffic only 0

Installation involved only a git sparse-checkout from github.com. No unexpected outbound connections, no firewall-blocked attempts, no processes spawned outside normal git operations. Connection state before and after install was identical except for the SSH session used for auditing.

INFO All honeypot files intact; canary accesses attributed to audit infrastructure 0

Canary file PATH records in auditd (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/...) appear at timestamps both before clone start (1771936596) and after completion (1771936619), consistent with audit infrastructure canary setup and post-install verification, not skill activity.