Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Card
v1.4.11Send rich interactive Feishu cards with markdown, headers, buttons, images, and styled persona messages to users or groups.
⭐ 3· 3.5k·61 current·62 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code implements Feishu card sending, persona wrappers, image upload, and CLI helpers — which matches the description. However the skill depends on a sibling module ../feishu-common for auth and implicitly loads a '../../.env' file for credentials even though the registry metadata declares no required env vars or config paths. That un-declared dependency on external credentials/config is inconsistent with the manifest.
Instruction Scope
SKILL.md describes sending messages and recommends writing message content to files (or using send_safe.js). The runtime instructions and code go beyond simple sending: they read and write files under ../../temp and ../../memory, attempt to load '../../.env', and handle file uploads. handle_event.js and send_safe.js call child_process.execSync with interpolated arguments — in particular handle_event.js constructs a shell command containing user-controlled menuKey without escaping, which can lead to command injection. The instructions don't mention these file writes or the need to secure the .env file.
Install Mechanism
There is no remote install/download spec; the package is instruction-plus-code included in the archive with a package.json referencing standard npm deps (commander, dotenv). No external downloads or extract steps are present.
Credentials
The skill metadata declares no required env vars or config paths, but send.js explicitly loads '../../.env' with dotenv and requires ../feishu-common for auth. That implies the skill will use Feishu credentials (APP_ID/SECRET or tokens) stored outside the skill folder. Not declaring these credentials is disproportionate and makes it unclear what secrets the skill will access. The code also writes/reads cache and temp files outside its own directory (../../memory, ../../temp), which increases its access surface.
Persistence & Privilege
always is false (no forced inclusion). The skill writes persistent cache (feishu_image_keys.json) and creates temp files under ../../memory and ../../temp — persistent state on disk but confined to sibling/parent workspace directories. It does not appear to modify other skills' configs, but the ability to create files outside the skill directory and to exec shell commands increases its effective privileges in the agent workspace.
Scan Findings in Context
[use_of_dotenv_with_relative_env_path] unexpected: send.js calls dotenv.config() with path '../../.env', indicating it will load credentials from a parent workspace .env. A Feishu sender legitimately needs credentials, but the skill metadata does not declare required env vars or config paths — this is an inconsistency and a potential secret access surface.
[child_process_execSync_unescaped_input] unexpected: handle_event.js and send_safe.js use execSync to run node send.js. handle_event.js interpolates a user-controlled menu key into a double-quoted command without escaping, allowing potential shell injection if event data is malicious. Using execSync to call the sender CLI can be acceptable, but passing unescaped user input is dangerous.
[writes_to_parent_memory_and_temp_dirs] unexpected: send.js reads/writes '../../memory/feishu_image_keys.json' and send_safe.js writes files to '../../temp'. Persisting data in parent directories is not declared in the manifest and increases the skill's filesystem footprint beyond its own folder.
What to consider before installing
This skill implements Feishu card sending and mostly matches its description, but there are important mismatches you should address before installing:
- Verify ../feishu-common: The skill depends on a sibling module for auth. Inspect that module now to see which environment variables or secrets it expects (APP ID/SECRET, app access tokens, etc.). The skill itself does not declare those env vars in the registry metadata.
- Check ../../.env and workspace layout: send.js explicitly loads '../../.env'. Make sure that file does not contain unrelated or high-value secrets you don't want the skill to access. Prefer providing only the minimal Feishu credentials in a dedicated config location.
- Review file writes: the skill creates/reads files under ../../temp and ../../memory (caching image keys and creating temp message files). If you run this in a shared workspace, those files can be observed or persisted — consider running the skill in an isolated directory or container.
- Fix/avoid command injection: handle_event.js builds an execSync command with user data (menuKey) interpolated without escaping. If you use this handler, ensure the event payload is trusted or modify the code to avoid shell execution (use child_process.spawn with args array or call the sendCard function directly). Prefer using send_safe.js which writes message content to a file first, but note send_safe still execs send.js; it reduces but does not eliminate risk if filenames or targets are untrusted.
- Confirm expected credentials: ask the skill author or inspect feishu-common to confirm which env vars are required and update registry metadata to list them. If you cannot confirm, do not grant this skill access to workspace-level secret files.
If you decide to proceed: run the skill in an isolated environment, review and possibly harden the two execSync call sites, and ensure the .env only contains the minimal Feishu credentials needed for the integration.Like a lobster shell, security has layers — review code before you run it.
latestvk975rkbz8wrw9tswywstnp96bs8161wf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.