Skillv1.2.0

ClawScan security

Feishu Doc Collab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 17, 2026, 2:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (auto-responding to Feishu document edits) matches the included files, but it requires modifying a running extension file and reads a local OpenClaw config token that was not declared — these persistent, high-impact changes warrant caution and a manual code review before installing.
Guidance: This skill will overwrite your OpenClaw/Lark monitor code and read your ~/.openclaw/openclaw.json hooks.token to call the local /hooks/agent endpoint. That behavior is required for the feature, but the registry did not declare the config path or token requirement — so it's easy to miss. Before installing: (1) review references/monitor-full-patched.js line-by-line to confirm it only performs the documented actions (reads openclaw.json, debounces edits, POSTs to localhost); (2) back up your existing monitor.js/ts (the script does this but double-check); (3) test in a non-production environment first; (4) consider creating a dedicated OpenClaw gateway/hooks token with minimal privileges to limit blast radius; (5) verify the skill's publisher/trustworthiness since the package author could replace the packaged monitor file with code that exfiltrates secrets. If you are uncomfortable modifying installed extension files or exposing a hooks token, do not install this skill.

Review Dimensions

Purpose & Capability: noteThe skill's code and instructions align with the stated purpose: it patches the Feishu/OpenClaw monitor to detect document edit events and trigger an isolated agent session. However, the skill accesses the OpenClaw hooks token stored in ~/.openclaw/openclaw.json (to call /hooks/agent) even though no config paths or credentials are declared in the registry metadata — an inconsistency between declared requirements and actual needs.
Instruction Scope: concernThe SKILL.md and scripts explicitly instruct the operator to overwrite the platform's monitor.js/monitor.ts with the provided patched file and to enable a hooks token in openclaw.json. The instructions therefore direct reading of a local config file (~/.openclaw/openclaw.json) and modification of an unrelated extension file — activities outside the simple 'skill' scope and high-impact (persistent change to platform behavior).
Install Mechanism: concernThere is no remote download, but the provided patch script copies a packaged reference JS file over the platform's monitor file (with a backup). Overwriting an installed extension file is high-impact: it modifies code that will run continuously and survive restarts/updates. The script is idempotent and makes a backup, but this install approach requires filesystem write access to system/user extension locations and therefore increases risk.
Credentials: concernThe registry lists no required env vars or config paths, but the runtime code reads ~/.openclaw/openclaw.json to extract hooks.token and gateway.port. That token is a sensitive local secret used to authorize calls to /hooks/agent; the skill requires it to operate but the metadata didn't declare it. Reading local config files containing credentials is proportionate to the stated goal, but the lack of declaration is an inconsistency and a potential surprise to users.
Persistence & Privilege: concernThe skill persists by replacing the platform's monitor implementation and registering event handlers that autonomously trigger agent sessions on document edits. While autonomous invocation is a normal capability, the combination of (a) modifying an extension file that runs continuously and (b) needing a hooks token to call into the agent gives the skill persistent, operational privilege on the host. This change is not gated by the registry metadata and thus deserves caution.