Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw飞书问题排查
v1.0.0飞书插件问题排查工具。包含常见问题 FAQ 和深度诊断命令(/feishu_doctor)。 常见问题可随时查阅。诊断命令用于排查复杂问题(多次授权仍失败、自动授权无法解决等), 会检查账户配置、API 连通性、应用权限、用户授权状态,并生成详细的诊断报告和解决方案。
⭐ 0· 91·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Feishu troubleshooting) matches the SKILL.md content, but the documented capabilities (checking appId/appSecret, API connectivity, bot openId, user tokens/offline_access) imply access to credentials or platform APIs. The skill declares no credentials, no required binaries, and no install — there is a capability/requirements mismatch.
Instruction Scope
The SKILL.md describes a runtime diagnostic ('/feishu doctor') that will inspect sensitive items (appId/appSecret masked, token refresh state, connectivity). The instructions do not explain how the agent obtains the credentials or performs API calls, nor do they explicitly avoid asking the user to paste secrets. That vagueness grants the agent broad discretion and could lead to sensitive data exposure if implemented poorly.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing is written to disk and no external packages are fetched — low install risk.
Credentials
The diagnostic claims require access to app credentials, tokens, and user auth states, but the skill declares no required environment variables or primary credential. Either the skill is relying on an implicit platform-integrated Feishu connector (not documented), or it would require asking for secrets at runtime — both should be explicit. The lack of declared secrets is disproportionate to the claimed checks.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request persistent system presence or modify other skills; autonomy (model invocation) remains default and is not by itself a red flag here.
What to consider before installing
Don't install or run this skill until the author clarifies how diagnostics are performed and where credentials come from. Key questions to ask the publisher: (1) Where is the code that performs the API checks? Provide a source link. (2) Does this rely on a platform-managed Feishu connector or will it ask you to paste appId/appSecret or user tokens? If it asks for secrets, refuse to paste them in chat; provide credentials only via a secure platform credential store. (3) Request explicit list of data accessed and retention policy (are any tokens or logs stored/exported?). If you must use it, test in a non-production tenant with minimal privileges and avoid sharing real secrets. Prefer skills that declare required env vars/credentials and publish their implementation/source.Like a lobster shell, security has layers — review code before you run it.
latestvk977jtnxngdkxyqkh7hp8pbr9x83sxjj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.