ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Perm

v1.0.0

Manage Feishu document, file, folder, or wiki permissions by setting access levels, sharing, or revoking user or group permissions.

0· 123·1 current·1 all-time
by@erick0309
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose is to manage Feishu documents/files/wiki permissions, which normally requires API credentials or an authenticated connector. The package declares no required environment variables, no primary credential, and no install steps. The SKILL.md references tools named feishu_doc, feishu_drive, and feishu_wiki but does not explain how those tools obtain Feishu access. That mismatch (permission management vs. no declared auth) is a coherence problem unless the platform provides those connectors — which is not documented here.
Instruction Scope
The SKILL.md gives narrowly scoped, appropriate runtime instructions (set access levels, share, revoke) and does not ask the agent to read unrelated files or environment variables. However, it omits any runtime detail about authentication or what the feishu_* tools expect (tokens, OAuth flow, user consent), which leaves operational scope underspecified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That lowers installation risk because nothing is written to disk by the skill itself.
!
Credentials
No environment variables, credentials, or config paths are declared despite the need to perform privileged actions on Feishu. Requiring zero credentials for a permissions-management skill is disproportionate unless the platform supplies the authenticated feishu_* tools; the skill should state that explicitly and list which credentials or connector scopes it needs.
Persistence & Privilege
always:false and model invocation enabled are standard. The skill does not request permanent presence or system-wide configuration changes.
What to consider before installing
This skill's intent (manage Feishu permissions) requires authenticated access, but the package declares no credentials or provenance. Before installing: 1) Ask the publisher how authentication is handled — does the platform supply feishu_doc / feishu_drive / feishu_wiki connectors, and what OAuth scopes or tokens are used? 2) Prefer skills that list required env vars or connector scopes explicitly and have a verifiable source/homepage. 3) If you test it, use a least-privilege Feishu account and monitor audit logs for unexpected changes. 4) If the platform provides the feishu_* tools, confirm their trust and scope; if not, treat the missing auth detail as a risk and avoid installing until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b56ewyer9bbq6dgaby72n6983wjxv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments