Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Bridge
v1.0.0Connect a Feishu (Lark) bot to Clawdbot via WebSocket long-connection. No public server, domain, or ngrok required. Use when setting up Feishu/Lark as a messaging channel, troubleshooting the Feishu bridge, or managing the bridge service (start/stop/logs). Covers bot creation on Feishu Open Platform, credential setup, bridge startup, macOS launchd auto-restart, and group chat behavior tuning.
⭐ 8· 9.4k·73 current·77 all-time
byYangsen AN@alexanys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included code: bridge.mjs implements a Feishu WebSocket client and forwards messages to a local Clawdbot Gateway. However the registry metadata claims no required env vars or credentials while both SKILL.md and bridge.mjs require FEISHU_APP_ID, a stored Feishu App Secret file, and a local Clawdbot config (which contains the gateway.auth.token). That metadata omission is an incoherence.
Instruction Scope
SKILL.md and bridge.mjs limit actions to what's needed for a bridge: reading a local App Secret file, reading the Clawdbot config, connecting to Feishu and to ws://127.0.0.1 gateway, writing logs, and offering a macOS launchd setup. The instructions do read and write files in ~/.clawdbot and write a LaunchAgents plist; they do not attempt network exfiltration to unknown third-party endpoints beyond Feishu and the local gateway.
Install Mechanism
There is no remote download URL or installer — installation is via npm install using package.json, and included code files are plain JavaScript. This is a normal, low-risk install mechanism for a Node skill.
Credentials
The skill needs FEISHU_APP_ID and an App Secret stored at ~/.clawdbot/secrets/feishu_app_secret, plus the Clawdbot config file that contains gateway.auth.token. Those are sensitive credentials and are necessary for the stated function, but the skill registry metadata declared no required env vars/credentials — the mismatch is concerning and should be resolved before trusting the skill.
Persistence & Privilege
setup-service.mjs writes a user LaunchAgents plist and creates ~/.clawdbot/logs, enabling RunAtLoad and KeepAlive; this grants persistent, auto-start behavior in the user's account (not system-wide). 'always' is false and the skill does not request elevated system-wide privileges, but installing the launchd agent has lasting effect and should be consciously approved by the user.
What to consider before installing
This package appears to implement what it claims (a local Feishu→Clawdbot bridge) but the registry metadata omitted required inputs. Before installing: 1) verify the files (bridge.mjs, setup-service.mjs, package.json) match expectations and come from a trusted source; 2) be aware the bridge will read your Feishu App Secret file (~/.clawdbot/secrets/feishu_app_secret) and your Clawdbot config (which contains the gateway token) — both are sensitive; 3) the setup script will write a LaunchAgents plist to ~/Library/LaunchAgents and create persistent logs under ~/.clawdbot, so only enable auto-start if you want that persistent service; 4) if you cannot verify the source, run the bridge in a contained environment (non-critical account or VM) and avoid enabling launchd auto-start until you’ve audited the code. If possible ask the publisher to fix the registry metadata so required env vars/credential usages are declared explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk97batm3jsxa0ysb8wz8ve60xh8019kd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.