Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
小爱舆情AI标注(OpenAI兼容)
v1.2.0Incrementally AI-labels unmarked records in Feishu bitable, adding fields like type, sentiment, competitor mention, platform, brand safety, and content safety.
⭐ 1· 159·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (incremental labeling of Feishu bitable rows) legitimately requires Feishu app credentials (APP_ID/APP_SECRET) and access to open.feishu.cn. However, the packaged wrapper (label_skill.py) requires OPENAI_API_KEY, OPENAI_BASE_URL and OPENAI_MODEL as mandatory, even though SKILL.md and README present use of an internal/stdin fallback as an option. Requiring an external LLM gateway is disproportionate to the declared inputs/description without explicit documentation in SKILL.md.
Instruction Scope
SKILL.md lists network permission only for https://open.feishu.cn and describes an optional stdin fallback. The code will call an arbitrary OPENAI_BASE_URL (user-provided) for model calls and enforces the presence of those credentials, meaning it will transmit record text to a third‑party model gateway. SKILL.md does not declare the openai_* inputs, nor does the permission block allow arbitrary LLM endpoints — this is a mismatch that could cause unexpected external data transmission.
Install Mechanism
No install spec; code is provided as Python files and runs via python label_skill.py. There is no external archive download or opaque installer. That lowers install risk compared with network installers.
Credentials
The skill requires Feishu app credentials (appropriate for writing back to the bitable) but also requires OpenAI gateway credentials (OPENAI_API_KEY/OPENAI_BASE_URL/OPENAI_MODEL) which are not declared in SKILL.md inputs and are mandatory in label_skill.py. Requiring an API key and an arbitrary gateway URL is high‑privilege relative to the simple labeling description and could expose user data to an untrusted LLM endpoint.
Persistence & Privilege
Flags show always:false and no attempts to modify other skills or system configs. The skill does not request permanent inclusion or system-wide privileges beyond using network and local prompt files included in the package.
What to consider before installing
This package will read records from your Feishu bitable and (per code) requires you to provide APP_ID and APP_SECRET to write labels back — that part aligns with its purpose. However, the runtime wrapper currently enforces providing OPENAI_API_KEY, OPENAI_BASE_URL and OPENAI_MODEL, and will send the record text to whatever model gateway you configure. SKILL.md does not declare these required inputs nor does the declared network permission allow arbitrary LLM hosts. Before installing or running: 1) Treat OPENAI_BASE_URL as a sensitive endpoint — only point it to a trusted, audited gateway you control (or don't set it if you don't want to send data externally). 2) If you expect the stdin/fallback mode, confirm with the author or update label_skill.py — as distributed it forces external LLM usage. 3) Prefer running in a restricted/sandbox environment and inspect/run the code locally with non-production data first. 4) Ensure the Feishu APP_ID/APP_SECRET you supply follow least privilege (scoped tokens) since the skill will use them to read/write the bitable. 5) If you need this skill for internal use but cannot trust external LLM gateways, ask the maintainer to: a) document required env inputs in SKILL.md, b) make stdin fallback actually optional (not failing when openai vars are missing), and c) adjust the network permission list to include any required LLM hosts or explicitly state they are user-controlled.Like a lobster shell, security has layers — review code before you run it.
latestvk97e70m1v557c6vvpcjvj85wqn83hbty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.