Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Cli Board
v1.0.0飞书画板全功能操作:创建画板、绘制架构图/流程图/看板(通过 create-notes API 精确控制节点位置和样式)、 导入 Mermaid/PlantUML 图表、下载画板图片、获取/复制画板节点。 当用户请求"画个图"、"画架构图"、"画流程图"、"画板"、"whiteboard"、"create-not...
⭐ 0· 165·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (manipulate Feishu whiteboards) aligns with the operations described (feishu-cli create-doc, add-board, board create-notes, import, image). However the SKILL.md requires FEISHU_APP_ID/FEISHU_APP_SECRET or ~/.feishu-cli/config.yaml for authentication, yet the registry metadata lists no required env vars or config paths — this mismatch is incoherent and could lead to unexpected runtime behavior or missing security prompts.
Instruction Scope
The runtime instructions are specific and limited to using the feishu-cli and the Feishu board APIs (create docs/boards, POST nodes, export image). They instruct reading a local config (~/.feishu-cli/config.yaml) or environment variables for auth and to write temporary JSON files (e.g., /tmp/*.json). The instructions do not instruct arbitrary file harvest or exfiltrate data to external endpoints beyond Feishu APIs, but they do reference local config paths that were not declared in metadata.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — minimal disk footprint and lower install risk. It assumes the presence of an external CLI (feishu-cli) but does not fetch or install binaries itself.
Credentials
The credentials required in the SKILL.md (FEISHU_APP_ID and FEISHU_APP_SECRET or a local feishu-cli config file) are proportionate to the Feishu integration. However the registry metadata does not declare these required env vars or the config path, creating a misleading/undocumented credential requirement. The skill also asks for specific Feishu app permissions (board:whiteboard, docx:document) which are appropriate.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or system-wide privileges. Allowed tools include Read/Write and Bash (needed to run feishu-cli and to read/write temporary JSON), which is expected for a CLI-driven skill.
What to consider before installing
This skill appears to do what it says (precise Feishu whiteboard operations) but the package metadata omits the authentication requirements documented in SKILL.md. Before installing: (1) verify you have and trust an official feishu-cli binary; (2) only provide a Feishu App ID/Secret for a least-privilege app scoped to board:whiteboard and docx:document — do not reuse admin or unrelated credentials; (3) inspect any ~/.feishu-cli/config.yaml the skill will read and consider running in a sandbox/VM first; (4) ask the publisher to update registry metadata to declare required env vars and config paths so the requirement is transparent. If you cannot confirm the feishu-cli source or the app credentials' scope, avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9712n6c5n19hje2qqjb6sea2n837hj4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.