ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ali Feishu Project(Teambition/Meego) SKILL

v1.0.1

Guide you to install plugins, obtain robotUserToken via DingTalk scan, configure and enable teambition skill to register a digital worker on Teambition.

0· 138·0 current·0 all-time
by@gaohuifeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description claim the skill will guide installing plugins and obtaining a robotUserToken for Teambition/Meego; the SKILL.md simply points to the official tb-skills README and a connector link, which is consistent and does not ask for unrelated resources.
Instruction Scope
SKILL.md is very short and only instructs the agent to follow the linked documentation. This is within scope but vague — it gives the agent broad discretion to execute the steps described by the external docs, so review those docs before proceeding.
Install Mechanism
No install spec and no code files; instruction-only skill means nothing will be written to disk by the skill itself.
Credentials
The skill declares no required environment variables, binaries, or config paths. The described task (obtaining a robotUserToken via DingTalk scan) inherently involves user credentials/tokens, but the skill does not request them directly — this is proportional but requires user caution when performing token-granting steps.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill does not request persistent presence or modify other skills; no elevated privileges are requested.
Assessment
This skill is just a pointer to external Teambition/Meego integration docs and does not install or request secrets itself, which makes it internally coherent. Before using it: (1) inspect the linked GitHub README and the clawhub connector page to confirm they are legitimate and match what you want to do; (2) be careful when generating or sharing robotUserToken/DingTalk tokens — do not paste tokens into chat; prefer official OAuth flows if available; (3) verify the scope and permissions of any token you create (use a limited test account if possible); (4) confirm the third-party connector (clawhub.ai) is trustworthy before using it; and (5) avoid granting the agent autonomous control over accounts or tokens unless you fully trust the source and have reviewed the exact steps it will perform. If you want higher assurance, ask the skill publisher for provenance (homepage, source repo) or follow the external docs yourself rather than letting the agent act.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xcfjj4wphvx9x3jcyvav058372qy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments