Skillv1.0.1

ClawScan security

self-backup-to-feishu · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 2:52 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (backup/restore to Feishu) is plausible, but the package omits declared credentials/config requirements and includes scripts that read sensitive local files (cron, .msmtprc, workspace files) and perform system changes — the mismatch and sensitive operations merit caution.
Guidance: This skill appears to do what it says (backup and restore assistant state to Feishu) but has important mismatches and sensitive behavior you should consider before installing: - The package did not declare required credentials, yet the docs/scripts expect Feishu app_id/app_secret, document tokens, and a tenant_access_token — demand that these be declared and handled securely (prefer injected secrets, not hardcoded values in files). - The scripts read sensitive local files including ~/.msmtprc (email credentials) and the system crontab, and the restore flow writes files and adds cron jobs. Only run in an environment where you trust the skill and can accept those changes. - The code uses /root/.openclaw/workspace and /root logs. Prefer running under an unprivileged user and change workspace paths to a user-owned directory before running. - The recovery flow suggests piping cron lines into crontab, which can add arbitrary scheduled jobs — review any cron content before restoring. - If you still want to use it: review and edit the scripts to (1) avoid reading secrets you don't want backed up, (2) require explicit confirmation before restoring or adding cron entries, (3) store Feishu credentials encrypted or provided at runtime, and (4) run initial tests in an isolated environment. Because of the credential declaration mismatch and the sensitive file/cron manipulation, treat this as suspicious unless the author provides clearer credential/config declarations and a minimal, audited script set.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (backup to Feishu) matches the scripts and recovery guide: they read assistant state files, generate a backup document, and describe restoring from a Feishu doc. However the SKILL.md and code reference Feishu credentials (app_id, app_secret, doc tokens, tenant_access_token) but the registry entry declares no required environment variables or credentials — this is an inconsistency that should have been declared.
Instruction Scope: concernThe runtime instructions and scripts read and reconstruct sensitive local data: MEMORY.md, IDENTITY.md, USER.md, SOUL.md, ~/.msmtprc (email credentials), and the system crontab. They also include steps to write files back to disk and add cron jobs. Reading and restoring .msmtprc and crontab are high-sensitivity actions and go beyond simple document-syncing; the SKILL.md gives broad discretion (e.g., '掌握新技能时' triggers) which could lead to frequent accesses.
Install Mechanism: okThere is no external install or downloader; this is instruction-only plus bundled scripts. No network download/install mechanism was used, so risk from remote arbitrary code fetch is low. Scripts will be present in the skill package and may be executed by the agent.
Credentials: concernRegistry metadata lists no required env vars but the documentation and code require Feishu app_id/app_secret/doc tokens/tenant_access_token and expect the app to have document access. The scripts operate on /root/.openclaw/workspace and logs under /root, and read ~/.msmtprc — these are privileged paths. The lack of declared credentials and the use of root paths is disproportionate and inconsistent.
Persistence & Privilege: noteThe skill is not always-on (always: false) and uses normal autonomous invocation settings. It writes files to its own workspace (local backups and a .pending-feishu-backup marker) but does include instructions to modify system cron. Modifying cron and writing ~/.msmtprc are privileged operations — the skill should explicitly request/declare that level of access before use.