Back to skill
Skillv1.0.0
ClawScan security
Feishu Cli Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 6:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-first installer/guide for the official lark-cli; its requirements, instructions, and included scripts are consistent with that purpose.
- Guidance
- This skill appears to be a legitimate installer/guide for the official lark-cli. Before running anything, verify you trust the upstream packages: check the npm package publisher for @larksuite/cli and the GitHub repo (https://github.com/larksuite/cli). Be cautious when performing global npm installs (avoid sudo if possible; follow npm permission guidance). When asked for App ID/Secret, paste them only into the local CLI prompt — do not paste secrets into public chats or repositories. Confirm that any authorization URL you receive is a legitimate feishu/larksuite domain before opening it. If you prefer less system-wide impact, you can install lark-cli locally instead of globally and avoid running npx skills add -g.
Review Dimensions
- Purpose & Capability
- okName/description (Feishu/Lark CLI install + OAuth guidance) match the provided artifacts. The package includes prompt-generator scripts that produce step-by-step instructions for installing/configuring lark-cli and loading the 20 Agent Skills; these are appropriate for the stated goal.
- Instruction Scope
- okSKILL.md and all scripts only instruct the agent to run local CLI commands (npm install, npx, lark-cli commands), extract authorization/config URLs from CLI output, and present them to the user. They explicitly require user browser interaction for OAuth and encourage --dry-run and user confirmation. The instructions do not direct reading unrelated system files or exfiltrating secrets.
- Install Mechanism
- noteThere is no registry install spec; this is an instruction-only skill with helper scripts. The instructions recommend installing from npm (npm install -g @larksuite/cli) or building from the public GitHub repo — both are standard distribution channels. Note: global npm installs (-g) and the npx skills add command will modify the system/global agent skill list; that's expected but has system-wide impact.
- Credentials
- okThe skill requests no environment variables or credentials itself. It guides the user to provide LARK_APP_ID/LARK_APP_SECRET to the lark-cli (entered by the user) and explicitly warns not to share secrets publicly. Mention of LARK_CONFIG_FILE in troubleshooting is contextual and not required by the skill.
- Persistence & Privilege
- notealways:false and disable-model-invocation:false (normal). The guide instructs installing global skills (npx skills add -g) which makes the lark-* skills available to all agents on the host — this is expected for providing Feishu features but is a meaningful system-wide change the user should be aware of.