ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小爱舆情结果飞书推送

v1.1.0

从飞书多维表按规则筛选记录,格式化内容并自动推送到指定飞书群机器人Webhook,更新推送状态字段。

0· 169·0 current·0 all-time
by@frankieway
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code talks to open.feishu.cn (tenant token, bitable records, record update) and posts to a provided Feishu webhook. Required inputs (bitable_url, app_id/app_secret, webhook_url, rule_expression, message_template) are appropriate and necessary for the stated functionality.
Instruction Scope
Runtime instructions and code stay within the stated scope (fetch records, evaluate rule, render message, post webhook, mark records). One notable implementation detail: eval(rule_expression, ...) is used to evaluate a user-supplied Python expression with __builtins__ removed and only fields in locals—this is appropriate for user-provided filter expressions but still a surface for misuse if untrusted expressions or unexpected object types are supplied. The skill reads only inputs and interacts with Feishu endpoints; it does not reference unrelated system files or external hosts.
Install Mechanism
No install spec; code is instruction-only with included Python files. requirements.txt lists requests/urllib3 which matches code usage. Nothing is downloaded from arbitrary URLs and no archive extraction is present.
Credentials
Requested secrets (app_id, app_secret, webhook_url) are directly relevant to Feishu API usage. The skill does not request unrelated credentials or config paths. The code accepts inputs via environment variables or INPUT_* names (consistent with typical runner behavior).
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It modifies only records in the specified bitable table (marks '是否推送' field) which matches its purpose.
Assessment
This skill appears to do exactly what it says: read a Feishu bitable view, filter records by a user-provided Python expression, post formatted messages to a Feishu group webhook, and mark records to avoid duplicate pushes. Before installing: (1) review and test with a small limit (e.g., limit=5) and a non-production Feishu app/space to confirm behaviour; (2) ensure the app_id/app_secret and webhook_url are for a dedicated service account you control; (3) be cautious with rule_expression you paste in — although the code restricts builtins, treat expressions as coming from trusted users; (4) review message_template and field contents to avoid inadvertently including malicious links or sensitive data in group messages; and (5) inspect the full push_skill.py (and scripts/push.py) if you need to be certain no additional network endpoints or logging of secrets are present.
push_skill.py:103
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdvvr5k5km4gtnnjhrzk2r983hyny

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments