ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-perm-help

v1.0.0

启用飞书权限管理工具,支持添加、查看和移除飞书文档/表格协作者权限操作。

0· 141·0 current·0 all-time
by@benleyl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill says it will enable a Feishu permissions tool and the included script explicitly reads ~/.openclaw/openclaw.json, sets channels.feishu.tools.perm and per-account tools.perm to true, saves the file, and restarts the OpenClaw gateway — all consistent with the stated purpose.
Instruction Scope
Runtime instructions and the script operate only on the agent's OpenClaw config (~/.openclaw/openclaw.json) and call local gateway commands. This is expected for enabling a tool, but the script does modify a user config file and restarts the gateway — an intrusive action that should be disclosed to users and done with care (backup the config first).
Install Mechanism
There is no download/install from external URLs; the package is instruction-only with a small local script. No archives or network installs are performed by the skill itself.
Credentials
The skill requests no environment variables, no credentials, and only touches the OpenClaw config file it claims to. There are no requests for unrelated secrets or external service tokens.
Persistence & Privilege
The skill writes to the agent's own configuration and restarts the gateway to enable the tool. It is not marked always:true and does not request elevated system privileges beyond invoking the 'openclaw' CLI, but modifying config and restarting services is a meaningful privilege — users should ensure they trust the skill source.
Assessment
This skill appears to do exactly what it says: it edits ~/.openclaw/openclaw.json to enable the feishu perm tool and restarts the OpenClaw gateway. Before installing: (1) inspect the scripts/enable-perm-tool.js file (it is small and readable); (2) back up ~/.openclaw/openclaw.json so you can roll back changes; (3) verify you trust the skill author/source; (4) be prepared to run 'openclaw gateway status' / restart manually if automatic restart fails. No credentials or external network downloads are requested, which reduces risk.
scripts/enable-perm-tool.js:80
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973j6d9yc88fpm02kfck81nj9838v8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments