ClawAudit verdict
feishu-interactive-cards
Receives external input AND executes processes
Feishu interactive card builder for sending buttons, forms, and polls to users; uses process_exec and file_write for running a local callback server via long-polling, consistent with the stated purpose of handling card interaction callbacks.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Receives external input AND executes processes — the shape of a command & control channel
LLM05 · LLM06 · ASI10
Writes files AND executes processes — may drop and execute malicious scripts
LLM05 · LLM06 · ASI05
Both reads and writes files — verify scope is limited to intended directories
LLM06 · ASI02
Findings (10)
Recursive delete from root or home — destructive command
references/gateway-integration.md · code · rm -rf /
Accesses sensitive system files
references/security-best-practices.md · code · /etc/passwd
Possible hardcoded credential
references/security-best-practices.md · code · Token:', token);
// ✅ 正确
console.log(
Uses exec() — may execute shell commands
SKILL.md · code · exec(
Accesses .ssh directory
references/security-best-practices.md · code · .ssh/
File write/delete operation
SKILL.md · code
Accesses OpenClaw config/secrets directly
SKILL.md · prose · downgraded · ~/.openclaw/openclaw.json
Popular HTTP library — network access
references/gateway-integration.md · code · axios
POSTs data to external URL
references/gateway-integration.md · code · .post(
'https://
Accesses sensitive environment variables
references/security-best-practices.md · code · process.env.API_KEY
Permissions & capabilities
No declared permissions — minimal attack surface.
network_inprocess_execfile_readfile_write Thanks — recorded.