ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Inspiration

v1.0.0

每天定时推送倪海厦、南怀瑾等国学大师的相关内容,通过飞书发送给用户。内容包括佛学解脱、气功、周易、中医等主题。用于:用户请求每天获取精神修行相关资讯。

0· 82·0 current·0 all-time
by@gabriel-zz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (daily Feishu push of classical/health content) is reasonable. However, the skill declares no required credentials or config for Feishu nor any install steps. That could be fine if it relies on the agent's built-in 'message' tool, but the package itself does not implement Feishu integration, so it's unclear who/what will actually perform the sends.
!
Instruction Scope
SKILL.md instructs the agent to run scheduled tasks, perform 'batch_web_search' to gather content, extract useful fragments, and send via a 'message' tool to Feishu. The included Python script only selects a topic and formats a string; it does not perform web searches, scraping, or send messages. The runtime instructions therefore grant the agent broad authority (web search + message delivery) that is not reflected in the code, and the scheduling mechanism is unspecified.
Install Mechanism
No install spec (instruction-only plus a small helper script). This minimizes on-disk install risk—there is no external download or package installation declared.
!
Credentials
The skill requests no environment variables or credentials, yet SKILL.md expects sending messages to Feishu. Sending to Feishu typically requires tokens/keys; absence of declared credentials is disproportionate unless the agent's 'message' tool provides delivery without additional config. The skill also doesn’t declare or document where web-search results come from or whether API keys are needed for the search tool.
Persistence & Privilege
always is false and there's no evidence the skill requests elevated or permanent presence. The skill does state it runs on scheduled triggers, but the manifest doesn't force inclusion or ask to modify other skills/configs.
What to consider before installing
Before installing, verify these points with the skill author: (1) How are Feishu messages delivered? Ask for the exact mechanism and required credentials (e.g., FEISHU_TOKEN) and where those should be stored. (2) Confirm the scheduled trigger mechanism—who configures the cron/timer that runs this skill? (3) The included script only selects/formats a topic and prints it; ask for the code that performs web searches and sends messages, or clarify that the agent's built-in 'batch_web_search' and 'message' tools will be used. (4) If you will provide Feishu credentials, ensure they are scoped minimally and stored securely. (5) Consider testing in a safe environment/account first to confirm no unexpected messages or data exfiltration occur. The mismatches here look like an oversight or incomplete implementation rather than clearly malicious code, but you should get these clarifications before trusting it with credentials or enabling automated sends.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0ke9z0kwcny2sr1cjyd10n83aad2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments