Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Cli Export
v1.0.0将飞书文档或知识库文档导出为 Markdown 文件,或导出为 PDF/Word 等格式(异步任务)。 当用户请求"导出文档"、"导出为 Markdown"、"转换为 Markdown"、"保存为 md"、 "导出 PDF"、"导出 Word"、"下载文档"时使用。 本技能专注于导出操作。从本地 DOCX 文件导...
⭐ 0· 138·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill purpose (export Feishu docs to Markdown/PDF/Word and download images) is coherent with the runtime steps (calling feishu-cli doc/wiki export, downloading assets, reading output files). Requesting Feishu app credentials and user tokens is expected for this functionality, so the capability aligns with purpose.
Instruction Scope
SKILL.md stays focused on export operations: parsing document IDs/URLs, invoking feishu-cli export commands, downloading images to an assets dir, and reading the resulting markdown/images for preview/analysis. It does instruct reading local files (e.g., /tmp and assets dir, and the feishu-cli config) which is necessary for the feature and is explicitly described.
Install Mechanism
Instruction-only skill with no install spec and no code files. It relies on an existing feishu-cli binary on PATH; there is no remote download or archive extraction described in the skill itself.
Credentials
SKILL.md requires FEISHU_APP_ID/FEISHU_APP_SECRET or reading ~/.feishu-cli/config.yaml and may auto-read saved User Access Tokens. However, the registry metadata declares no required env vars or config paths. The skill will access local credential storage (user token/config) which is sensitive; the missing declaration is an inconsistency and increases risk if users expect metadata to surface required secrets.
Persistence & Privilege
The skill is not always: true and does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default), but there is no indication the skill modifies other skills or system-wide configs.
What to consider before installing
This skill appears to do what it says (use feishu-cli to export Feishu docs and optionally download images), but pay attention to credentials and local-file access: SKILL.md requires FEISHU_APP_ID/FEISHU_APP_SECRET or a saved user token in ~/.feishu-cli/config.yaml, yet the registry metadata does not declare these. Before installing or invoking: (1) ensure you have feishu-cli installed from a trusted source; (2) limit tokens to the minimum scopes (readonly/doc export) and consider using a dedicated app/account for exports; (3) be aware the agent will read files under /tmp and any assets dir (images) and will read saved tokens — don’t run this skill on a machine holding highly sensitive credentials you don't want the agent to access; (4) ask the publisher to update metadata to list required env vars/config paths explicitly so you can audit them. If you want higher assurance, request the skill author to declare required env vars and to document exactly how feishu-cli stores tokens and where the skill will read them.Like a lobster shell, security has layers — review code before you run it.
latestvk974vyhc41meew3cvdfyyv43qx83605w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.