Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-attendance
v1.0.9Monitor Feishu attendance for late, early leave, or absence, notify employees of issues, and send summary reports to admin with holiday-aware checks.
⭐ 0· 834·9 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements Feishu attendance checks, holiday lookups, caching, and messaging as described — so functionality matches the name/description. However, the package/skill metadata declares no required credentials or primaryEnv even though the runtime delegates to a shared 'feishu-common' module that will need Feishu app credentials (tenant/app id & secret or a token). The omission of required env vars/credentials in the manifest is an inconsistency.
Instruction Scope
SKILL.md shows how to run checks and mentions caching and the holiday API. The SKILL.md does not document the optional FEISHU_ADMIN_ID env var or the dependency on a shared 'feishu-common' and time-helper modules that the code imports. The code reads/writes cache files under '../../memory/attendance_cache' (creating directories) and calls external services (timor.tech and Feishu APIs) — these behaviors are within the tool's purpose but are not fully disclosed in metadata/instructions.
Install Mechanism
There is no remote download/install spec (no extract or external URL). Dependencies are listed in package.json/package-lock (node-fetch, yargs, dotenv). Code is included in the bundle; no hidden installers or remote fetch of archives were found in the manifest. This is lower install risk than arbitrary remote downloads.
Credentials
The skill requires Feishu API access to function, and the code expects a shared feishu-common module to provide tokens/fetchWithAuth, but requires.env/primaryEnv fields are empty. The skill will also optionally use FEISHU_ADMIN_ID from process.env (not documented in SKILL.md). Missing explicit credential declarations is disproportionate to the metadata and hides what secrets the skill requires from the user.
Persistence & Privilege
The skill does not request 'always:true' and agent-autonomous invocation is default (not a new concern). It writes cache files to '../../memory/attendance_cache' (creates directories) and therefore persists data on disk in parent directories relative to the skill; this is reasonable for caching but you should verify the path is the intended shared-memory area and not a sensitive location.
What to consider before installing
This skill's functionality (checking Feishu attendance, holiday lookups, and sending messages) matches its code, but the package metadata omits required credentials and shared dependencies. Before installing: 1) Confirm where the feishu-common and common/time-helper modules come from and inspect them — they will handle authentication and determine what credentials are needed. 2) Expect to provide Feishu app credentials (tenant/app id & secret or tokens); verify which env vars are required and that they are scoped minimally. 3) Note the skill writes cache files to ../../memory/attendance_cache — confirm that path is a safe, intended storage area. 4) Use the --dry-run option first to validate behavior without sending messages. 5) If you cannot review feishu-common or the host environment that supplies shared modules, treat this as higher risk and avoid granting it real credentials or running it with notify enabled.Like a lobster shell, security has layers — review code before you run it.
latestvk97d676pbteqfw3bm2ge2p3c4x815t11
License
MIT-0
Free to use, modify, and redistribute. No attribution required.