百科虾

v2.2.1

蜗牛公司百科虾技能包。为员工解答公司相关问题（制度、福利、流程、组织架构等）。当用户询问公司相关问题时触发。知识库没有的问题一律不答，不编造，不联网搜索。

⭐ 0· 198·1 current·1 all-time

by@beyondbright

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (公司内部百科问答) match the actual behavior: scripts sync Feishu wiki content, index content, search it, and send replies via Feishu. The required credentials (appId/appSecret stored in openclaw.json) are appropriate for Feishu integration.

✓

Instruction Scope

SKILL.md instructs creating an isolated agent workspace, running sync/search/send scripts, and storing credentials in openclaw.json. The runtime instructions and scripts only read/write the agent cache, wiki_list.json, and openclaw.json and call Feishu APIs — all within the stated scope. The README explicitly forbids web searching and fabrication.

✓

Install Mechanism

No install spec; skill is placed into the agent workspace and run with Node.js. No external arbitrary downloads or installers are used. Scripts are plain JS and run locally.

✓

Credentials

The only sensitive data accessed are Feishu appId/appSecret from ~/.openclaw/openclaw.json (and optional OPENCLAW_AGENT_NAME env var). These are necessary and proportional for contacting Feishu APIs. The skill does not request unrelated credentials or config paths.

✓

Persistence & Privilege

Skill is not always-enabled and does not request elevated platform privileges. It stores cache under the agent workspace and uses openclaw.json-managed credentials; it does not modify other skills or system-wide settings.

Assessment

This skill appears to do exactly what it says: sync Feishu wiki pages into an agent-local cache, build a search index, and send replies via Feishu. Before installing, confirm the following: (1) openclaw.json in the operator's home (~/.openclaw/) will be read for Feishu appId/appSecret — only provide credentials that are scoped to this agent/app. (2) The skill logs API responses (sync.js prints debug info) and may call contact APIs to resolve user names — those calls involve employee identifiers and names, so restrict who can run the agent and where logs are stored. (3) The scripts write cache and temp files under the agent workspace (e.g., cache/, temp/) — run in an isolated workspace to avoid accidental exposure. (4) Review wiki_list.json to ensure it only points to approved internal wikis. If you need stronger assurance, run the scripts in a controlled environment (no production credentials) and inspect logs/output during a sync to verify behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97byzaj1qyebgt8439rdnsf8184dh5n

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

百科虾

License

Comments