ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

飞书开放平台应用自动化配置

v1.0.0

自动化完成飞书开放平台企业自建应用的创建、权限配置、事件订阅、改名和版本发布,简化繁琐操作流程。

0· 394·0 current·0 all-time
by@evan966890
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to automate creation/configuration/publishing of a 飞书 (Feishu) enterprise app using agent-browser. The runtime instructions exclusively drive a browser UI, extract App ID/Secret from the console, paste permission JSON into the Monaco editor, and prompt updating openclaw.json and restarting the Gateway — all actions coherent with the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to extract sensitive values (App ID and App Secret) from the web UI and to edit openclaw.json and restart the Gateway. Those actions are necessary for setup, but the document uses undefined placeholders (APP_ID, PERM_JSON) and omits explicit commands for editing/restarting Gateway. The instructions assume an existing logged-in browser session and the agent-browser skill. Because the agent will read secrets from the page, you should treat this as handling sensitive data and confirm storage/transfer practices before running.
Install Mechanism
Instruction-only skill with no install spec and no code files. No artifacts are downloaded or written by the skill package itself — lowest install risk. It does require the separate 'agent-browser' skill and a running OpenClaw Gateway, which the README lists as preconditions.
Credentials
The skill requests no environment variables or external credentials in its metadata. It does instruct the operator to extract App ID/Secret from the Feishu console and to place them into openclaw.json for Gateway connections — which is proportionate to the goal. There are no unrelated credential requests.
Persistence & Privilege
always is false and the skill does not request system-wide persistence. It expects the user to update OpenClaw config and restart the Gateway (operator action), but it does not itself claim elevated or always-on privileges.
Assessment
This skill automates browser actions on the Feishu console and will read sensitive values (App ID and App Secret) from your logged-in session and instruct you to add them to openclaw.json so the Gateway can open WebSocket subscriptions. Before using: (1) Confirm you trust the 'agent-browser' skill and the environment where it's run (a logged-in browser session contains your account access). (2) Be prepared to supply or verify APP_ID and PERM_JSON values — the SKILL.md uses these placeholders but doesn't define how they are set. (3) Back up openclaw.json and avoid running this against production tenants until tested. (4) Ensure the Gateway and local machine are secure (the process requires storing app secrets locally). (5) If you want stricter control, perform the steps manually or run the skill in a sandbox/test tenant so you can inspect each change before committing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bba1fb83425gt17y0v2xt058223g4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments