Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-broadcast
v1.0.0Broadcast text, rich Markdown posts, images, and stickers to all users in a Feishu tenant with rate limiting and dry run support.
⭐ 0· 776·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code implements tenant-wide broadcasting and appropriately fetches all users and posts messages, which matches the stated purpose. However the skill metadata declares no required environment variables or credentials while lib/api.js clearly requires FEISHU_APP_ID and FEISHU_APP_SECRET. The SKILL.md lists feishu-post and feishu-sticker as dependencies but the registry metadata does not declare them; index.js invokes those other skills via CLI. The missing declaration of credentials and dependency linkage is an incoherence the user should be aware of.
Instruction Scope
SKILL.md instructs running the included index.js but does not mention the need to provide Feishu credentials or .env setup. The runtime code searches for .env files in multiple parent directories (process.cwd() and ../.. paths) and reads/writes a token cache at path ../../../memory/feishu_token.json, meaning it can access configuration outside the skill's directory. The skill also uses child_process.exec to run other skill CLIs with interpolated arguments (e.g., --title), which can introduce shell-injection risks if inputs are not sanitized. None of this elevated scope is documented in SKILL.md.
Install Mechanism
There is no install spec (instruction-only), which lowers install-time risk. However the package contains package.json and node dependencies (dotenv, node-fetch, yargs). That means runtime requires those Node modules to be present; absence of an install step is an inconsistency but not necessarily malicious. No external downloads or obscure URLs are used.
Credentials
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET to obtain a tenant access token, but the skill's declared 'Required env vars' and 'Primary credential' are empty. Additionally, the code will load .env files from several parent directories and will write a token cache to a relative '../../../memory' path — both behaviors can expose or clobber unrelated secrets/config in the host environment. Requesting tenant-scoped credentials is expected for a broadcast tool, but failing to declare them and scanning multiple config locations is disproportionate and risky.
Persistence & Privilege
The skill does not request 'always: true', but it does persist a tenant token to a token cache file located outside the skill directory (resolved to '../../../memory/feishu_token.json'). Writing and reading this shared token file and probing .env files in ancestor directories gives the skill broader filesystem reach than the SKILL.md/metadata suggest. The skill does not modify other skills' configuration explicitly, but the cross-directory reads/writes are notable.
What to consider before installing
This skill's code largely matches its advertised function (sending posts and images to all Feishu users), but it has several practical and security mismatches you should consider before installing or running it:
- Credentials missing from metadata: The package and SKILL.md do not declare that FEISHU_APP_ID and FEISHU_APP_SECRET are required, but the code will fail without them. Treat those as required secrets for this skill.
- Reads/writes outside its folder: The code searches for .env files in parent directories and writes a token cache at a relative ../../../memory/feishu_token.json. That can expose unrelated secrets or clobber other tooling. If you run this, place it in an isolated working directory or inspect/adjust the paths.
- Shell execution & injection risk: index.js calls other skill scripts via child_process.exec with interpolated string arguments (e.g., --title). If titles or other inputs come from untrusted sources they could enable shell injection. Prefer execFile/spawn with an args array or ensure inputs are escaped.
- Cross-skill dependency: The script invokes skills/feishu-post/send.js and skills/feishu-sticker/send.js; verify those scripts exist and review their code before running, since they will be executed for every recipient.
- Broadcast risk: This tool will message every user in the tenant — test with dry-run mode and a small subset before any full run to avoid accidental mass messages.
Recommendations:
1) Do not run this in a production tenant until you review and confirm the other skills (feishu-post, feishu-sticker). 2) Provide FEISHU_APP_ID/FEISHU_APP_SECRET via a controlled .env placed in the skill directory (avoid relying on ancestor .env files) or set them in a secure environment store. 3) Change temporary command invocation to use spawn/execFile with argument arrays or properly escape/validate --title/--image inputs. 4) Consider updating the skill metadata and SKILL.md to list required env vars and the token cache path. 5) Run in an isolated environment (container) to limit filesystem exposure.
Given the omissions and the filesystem/exec behavior, the skill is suspicious but not clearly malicious; inspect and harden it before use.Like a lobster shell, security has layers — review code before you run it.
latestvk977npv3kdvb105s3ygk1m77gx816ayc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.