ClawHub

feishu-group-manager

v1.0.0

Manage Feishu group chats by updating names, descriptions, permissions, and toggling busy status indicators.

0· 916·13 current·13 all-time
by@autogame-17
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (manage Feishu group chats) matches the code (GET/PUT to Feishu chat endpoints). However the code imports fetchWithAuth from '../feishu-common/index.js' which is not present in the package — that's a substantive missing piece. Also package.json includes dotenv, implying environment-based credentials, but the skill declares no required env vars or primary credential. This mismatch between expected auth needs and declared requirements is concerning.
!
Instruction Scope
SKILL.md only instructs running the two Node scripts with a chat-id and options; it does not document how authentication is provided, where feishu-common comes from, or what scopes/permissions the app needs. It also references MEMORY.md -> 'Busy Status Protocol' which is not included. The runtime instructions therefore omit critical setup and credential handling details.
Install Mechanism
There is no install spec (instruction-only), which limits direct install-time risk. The package.json lists only small, well-known deps (commander, dotenv). No remote downloads or extract steps are present. However because this is not a pure prose skill (it includes JS files) the absence of an install step means consumers must manually run npm install or otherwise supply runtime modules — this should be made explicit.
!
Credentials
The code clearly needs authorization to call Feishu APIs (fetchWithAuth), so the skill will require credentials/tokens (app id/secret or access token). Yet requires.env is empty and no primary credential is declared. The presence of dotenv implies secrets may be loaded from a .env at runtime. This is disproportionate and opaque: the skill asks for or will use secrets but does not declare or document them.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no OS restrictions. It doesn’t claim any persistent system-wide privileges in the manifest.
What to consider before installing
This package contains legitimate-looking code to GET/PUT Feishu chat settings, but it's incomplete and opaque: it requires a helper module (feishu-common) that isn't included and likely needs Feishu credentials (not declared). Before installing or running it: 1) ask the publisher for the missing feishu-common source and any README describing auth flows; 2) verify where fetchWithAuth gets tokens and ensure it doesn't exfiltrate secrets or post data to unexpected endpoints; 3) require explicit documentation of required env vars (app id/secret or access token) and the minimum API scopes; 4) avoid dropping your real credentials into an unverified package — test in an isolated environment or with a least-privilege Feishu app; 5) if you cannot obtain the missing files or a trustworthy source/homepage, treat the package as incomplete/untrusted and do not run it against production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bwgh74sahvzkmvmrgyjxesd816qf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments