ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yuqing Data To Bitable

v2.0.0

从小爱数据接口增量拉取舆情数据,自动写入飞书多维表并支持字段映射与case_id自增功能。

1· 284·0 current·0 all-time
by@frankieway

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for frankieway/yuqing-data-to-bitable.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Yuqing Data To Bitable" (frankieway/yuqing-data-to-bitable) from ClawHub.
Skill page: https://clawhub.ai/frankieway/yuqing-data-to-bitable
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install frankieway/yuqing-data-to-bitable

ClawHub CLI

Package manager switcher

npx clawhub@latest install yuqing-data-to-bitable
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The included Python scripts clearly implement incrementally fetching from the xiaoai API and writing to Feishu Bitable (matching the skill description). Requesting Feishu app_id/app_secret and the xiaoai token is coherent with that purpose.
!
Instruction Scope
SKILL.md's entrypoint references 'xiaoai_to_bitable_skill.py' which does not exist in the package; the actual runnable code is main.py and excel_to_feishu_bitable.py. SKILL.md inputs list minutes/folder_id/customer_id/bitable_url but do NOT declare the required credentials (Feishu APP_ID/APP_SECRET and XIAOAI_TOKEN) that main.py and the shell scripts expect. This mismatch means the declared runtime instructions are incorrect/insufficient and could lead to surprising behavior or misconfiguration.
Install Mechanism
No install spec (instruction-only style) and no remote downloads; files are bundled in the skill. This has lower install risk, though the package will write caches, logs, lock files to its directory when run.
!
Credentials
The code requires multiple sensitive secrets (Feishu APP_ID and APP_SECRET for tenant_access_token; XIAOAI_TOKEN for the data API), and these are not declared in the skill metadata's required env vars/primary credential. The shell scripts expect a .env file with APP_ID, APP_SECRET, XIAOAI_TOKEN, BITABLE_URL, etc. The omission in metadata is a red flag for transparency and least privilege.
Persistence & Privilege
always is false and the skill does not request system-wide privileges, but the bundled scripts create logs, caches (.cache/tenant_token.json, existing_keys.json), a lock file, and a status JSON in the skill directory. It also contains cron example lines — the skill is designed for periodic autonomous runs; this is expected but worth noting.
Scan Findings in Context
[NO_REGEX_FINDINGS] expected: Static regex scanner reported no findings. That does not imply safety: the package includes network calls and credential handling that must be reviewed. The primary issues here are metadata/instruction mismatches rather than obvious malicious patterns.
What to consider before installing
This package appears to implement the described sync (pull from xiaoai API and write to Feishu Bitable), but there are important inconsistencies and transparency gaps you should address before installing: - DO NOT run it without inspecting .env: the scripts expect APP_ID, APP_SECRET (Feishu), XIAOAI_TOKEN, BITABLE_URL, FOLDER_ID, CUSTOMER_ID, etc. These are sensitive — keep them secret. - SKILL.md is wrong/incomplete: it references a non-existent entrypoint and omits the required credentials. Confirm the runtime entrypoint (main.py) and supply credentials only when you trust the code. - The skill writes local caches, logs, a status file, and a lock file in its directory. If you run it on a shared/privileged host, run in an isolated/sandboxed environment or container and ensure file permissions are appropriate. - Network endpoints used are open.feishu.cn (Feishu) and http://wisers-data-service.wisersone.com.cn (xiaoai backend). If those endpoints are unexpected for your environment, do not run it. - If you plan to deploy: test in a safe environment, verify the exact HTTP calls (you can run with a request recorder or inspect logs), and consider creating limited-scope credentials (least privilege) for Feishu. Given the metadata/entrypoint omissions, treat this skill as untrusted until you validate the files and provide credentials in a controlled manner.

Like a lobster shell, security has layers — review code before you run it.

latestvk978695z0s6txhh68fhcn9yajd82vas9
284downloads
1stars
4versions
Updated 15h ago
v2.0.0
MIT-0
@frankieway
latest
Download

name: xiaoai_to_bitable version: "1.0.0" description: > 从小爱数据接口增量拉取数据,并写入飞书多维表(支持 case_id 自增、入库时间为写入时间、按字段自动创建/映射)。

entrypoint: command: "python" args: - "xiaoai_to_bitable_skill.py"

inputs:

  • name: minutes type: integer required: false default: 60 description: 往前补偿的分钟数(基于当前时间,默认 60 分钟)

  • name: folder_id type: integer required: false default: 763579 description: 小爱接口 folder_id

  • name: customer_id type: string required: false default: "xmxa" description: 小爱接口 customer_id

  • name: bitable_url type: string required: false description: > 目标飞书多维表视图链接(包含 base/app_token 和 table 参数)。 若不提供,则使用脚本中内置的 BITABLE_URL。

outputs:

  • name: inserted_count type: integer description: 本次实际写入到多维表的记录数

permissions: network: - "https://open.feishu.cn" - "http://wisers-data-service.wisersone.com.cn"

Comments

Loading comments...