Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Cli Chat
v1.0.0飞书会话浏览、消息互动与群聊管理。查看聊天记录、获取群聊历史消息、搜索群聊、 获取消息详情、Reaction 表情回应、Pin 置顶/取消置顶、删除消息、 群聊信息查询与管理(获取/更新/解散/成员管理)。 支持普通群和话题群两种模式,话题群自动获取线程回复。所有命令需要 User Token。 当用户请求"查看...
⭐ 0· 116·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md repeatedly states that a User Token is mandatory and shows many feishu-cli commands; however the skill metadata lists no required environment variables, no primary credential, and no required binaries. A feishu-cli based chat-management skill should declare the feishu-cli binary and the need for a User Token (or explain how auth is provided). The absence of those declarations is incoherent.
Instruction Scope
The runtime instructions stay within the stated purpose (searching, reading, summarizing and managing Feishu chats) and do not instruct reading unrelated system paths or exfiltrating data to third-party endpoints. They instruct use of feishu-cli commands and local temporary files for paging/aggregation.
Install Mechanism
This is an instruction-only skill with no install spec (lower risk). That said, it implicitly requires the feishu-cli tool to be present; the metadata does not declare that dependency, which reduces clarity about required environment setup.
Credentials
The documentation explicitly requires a User Token (with broad read access to private and group messages) and mentions App Token for a few actions, but the skill metadata declares no credentials or env vars. Additionally, allowed-tools include Read/Write — which could let the agent read local token files if present. The skill should explicitly declare credential needs and justify them.
Persistence & Privilege
The skill is not always-on, does not request elevated platform privileges, and does not include installation steps that modify other skills or global config. No persistent or forced inclusion was requested.
What to consider before installing
This skill appears to be the right kind of tool for browsing and managing Feishu (Lark) chats, but its metadata omits two important things: (1) it relies on the feishu-cli binary being available, and (2) it requires a User Token that grants access to private and group messages. Before installing or enabling it, ask the provider to: (a) declare required binaries (feishu-cli) and how authentication is supplied, (b) explain where credentials/tokens are stored and whether the agent will read those files, and (c) confirm the minimum token scopes needed. If you proceed, limit token scope where possible, test in a non-production account, and avoid granting it access to highly sensitive conversations until you trust the source.Like a lobster shell, security has layers — review code before you run it.
latestvk973xcpqyqrmefw34ave7hs4fs836h89
License
MIT-0
Free to use, modify, and redistribute. No attribution required.