Skillv1.0.0

ClawScan security

feishu-bitable-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 3:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation describes interactive Feishu/Bitable operations (API/CLI calls, ownership/permission changes) but the package does not declare the required credentials, CLI binaries, or installation steps needed to perform them — this mismatch is concerning.
Guidance: This skill appears to be a coherent Feishu/Bitable how-to, but it omits critical operational details. Before installing or using it: (1) ask the author to declare what binaries/CLI tools it expects and to provide installation instructions; (2) require explicit listing of any environment variables or API credentials (app_token, client_id/secret, bot token) and ensure they follow least-privilege scopes; (3) review and test all automation and HTTP webhook targets in a sandbox account — automations can transfer ownership, change permissions, and call external endpoints; (4) never supply broad admin credentials to a skill you don't trust; instead create a limited-scope service account for testing; (5) request source/homepage or maintainer contact to verify provenance and for accountability. If the author cannot or will not clarify these gaps, treat the skill as risky and avoid granting it real credentials or production access.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly targets Feishu Bitable (creating apps/tables/fields, automations, dashboards). However the instructions reference CLI tools (feishu_bitable_create_app, feishu_bitable_create_field, feishu_perm, etc.) and use app_token/token parameters without declaring any required binaries or environment variables. A legitimate skill that performs these actions would normally require Feishu API credentials and/or those CLI binaries to be present; the manifest omits them.
Instruction Scope: concernRuntime instructions instruct the agent to create apps/tables, run automations, call HTTP/Webhook endpoints, and transfer ownership/permissions. These actions require access to tokens/credentials and the ability to make network/API calls. The SKILL.md does not explain where credentials come from or limit what should be changed (e.g., it instructs transferring ownership to the user and leaving robot edit rights). That grants the skill ability to modify access control unless constrained externally.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. From an install mechanism perspective this is low-risk because nothing is downloaded or executed by the platform as part of an installation. However runtime actions still require external tools/credentials not declared here.
Credentials: concernNo environment variables or primary credential are declared, but examples and instructions clearly expect app_token/token and other credentials. That mismatch is disproportionate: the skill requires sensitive credentials to function but does not declare them, handle them, or explain their scope/least-privilege requirements.
Persistence & Privilege: okThe skill does not request always:true and does not declare any special persistent privileges or system-wide configuration changes. Autonomous invocation is allowed (platform default), which increases operational scope but is not, by itself, a reason to flag this skill further.