ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Bridge

Connect a Feishu (Lark) bot to Clawdbot via WebSocket long-connection. No public server, domain, or ngrok required. Use when setting up Feishu/Lark as a messaging channel, troubleshooting the Feishu bridge, or managing the bridge service (start/stop/logs). Covers bot creation on Feishu Open Platform, credential setup, bridge startup, macOS launchd auto-restart, and group chat behavior tuning.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
7 · 8k · 52 current installs · 55 all-time installs
byYangsen AN@AlexAnys
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included code: bridge.mjs implements a Feishu WebSocket client and forwards messages to a local Clawdbot Gateway. However the registry metadata claims no required env vars or credentials while both SKILL.md and bridge.mjs require FEISHU_APP_ID, a stored Feishu App Secret file, and a local Clawdbot config (which contains the gateway.auth.token). That metadata omission is an incoherence.
Instruction Scope
SKILL.md and bridge.mjs limit actions to what's needed for a bridge: reading a local App Secret file, reading the Clawdbot config, connecting to Feishu and to ws://127.0.0.1 gateway, writing logs, and offering a macOS launchd setup. The instructions do read and write files in ~/.clawdbot and write a LaunchAgents plist; they do not attempt network exfiltration to unknown third-party endpoints beyond Feishu and the local gateway.
Install Mechanism
There is no remote download URL or installer — installation is via npm install using package.json, and included code files are plain JavaScript. This is a normal, low-risk install mechanism for a Node skill.
!
Credentials
The skill needs FEISHU_APP_ID and an App Secret stored at ~/.clawdbot/secrets/feishu_app_secret, plus the Clawdbot config file that contains gateway.auth.token. Those are sensitive credentials and are necessary for the stated function, but the skill registry metadata declared no required env vars/credentials — the mismatch is concerning and should be resolved before trusting the skill.
Persistence & Privilege
setup-service.mjs writes a user LaunchAgents plist and creates ~/.clawdbot/logs, enabling RunAtLoad and KeepAlive; this grants persistent, auto-start behavior in the user's account (not system-wide). 'always' is false and the skill does not request elevated system-wide privileges, but installing the launchd agent has lasting effect and should be consciously approved by the user.
What to consider before installing
This package appears to implement what it claims (a local Feishu→Clawdbot bridge) but the registry metadata omitted required inputs. Before installing: 1) verify the files (bridge.mjs, setup-service.mjs, package.json) match expectations and come from a trusted source; 2) be aware the bridge will read your Feishu App Secret file (~/.clawdbot/secrets/feishu_app_secret) and your Clawdbot config (which contains the gateway token) — both are sensitive; 3) the setup script will write a LaunchAgents plist to ~/Library/LaunchAgents and create persistent logs under ~/.clawdbot, so only enable auto-start if you want that persistent service; 4) if you cannot verify the source, run the bridge in a contained environment (non-critical account or VM) and avoid enabling launchd auto-start until you’ve audited the code. If possible ask the publisher to fix the registry metadata so required env vars/credential usages are declared explicitly.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97batm3jsxa0ysb8wz8ve60xh8019kd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Bridge

Bridge Feishu bot messages to Clawdbot Gateway over local WebSocket.

Architecture

Feishu user → Feishu cloud ←WS→ bridge.mjs (local) ←WS→ Clawdbot Gateway → AI agent
  • Feishu SDK connects outbound (no inbound port / public IP needed)
  • Bridge authenticates to Gateway using the existing gateway token
  • Each Feishu chat maps to a Clawdbot session (feishu:<chatId>)

Setup

1. Create Feishu bot

  1. Go to open.feishu.cn/app → Create self-built app → Add Bot capability
  2. Enable permissions: im:message, im:message.group_at_msg, im:message.p2p_msg
  3. Events: add im.message.receive_v1, set delivery to WebSocket long-connection
  4. Publish the app (create version → request approval)
  5. Note the App ID and App Secret

2. Store secret

mkdir -p ~/.clawdbot/secrets
echo "YOUR_APP_SECRET" > ~/.clawdbot/secrets/feishu_app_secret
chmod 600 ~/.clawdbot/secrets/feishu_app_secret

3. Install & run

cd <skill-dir>/feishu-bridge
npm install
FEISHU_APP_ID=cli_xxx node bridge.mjs

4. Auto-start (macOS)

FEISHU_APP_ID=cli_xxx node setup-service.mjs
launchctl load ~/Library/LaunchAgents/com.clawdbot.feishu-bridge.plist

Diagnostics

# Check service
launchctl list | grep feishu

# Logs
tail -f ~/.clawdbot/logs/feishu-bridge.err.log

# Stop
launchctl unload ~/Library/LaunchAgents/com.clawdbot.feishu-bridge.plist

Group chat behavior

Bridge replies only when: user @-mentions the bot, message ends with ?/, contains request verbs (帮/请/分析/总结…), or calls the bot by name. Customize the name list in bridge.mjsshouldRespondInGroup().

Environment variables

VariableRequiredDefault
FEISHU_APP_ID
FEISHU_APP_SECRET_PATH~/.clawdbot/secrets/feishu_app_secret
CLAWDBOT_CONFIG_PATH~/.clawdbot/clawdbot.json
CLAWDBOT_AGENT_IDmain
FEISHU_THINKING_THRESHOLD_MS2500

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…