Back to skill
Skillv1.1.0
ClawScan security
Feishu Messenger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:58 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Feishu messaging helper that consistently documents using the OpenClaw CLI and a workspace for media files; it does not request unrelated credentials, install software, or perform surprising actions.
- Guidance
- This skill is an instruction-only wrapper that calls your existing OpenClaw CLI to send Feishu messages. Before installing or using it: (1) confirm your OpenClaw environment already holds valid Feishu credentials (app ID/secret or access token) — the skill does not declare or request them; (2) be mindful that any file you copy into ~/.openclaw/workspace will be sent if referenced, so avoid placing sensitive data there; (3) verify file size/type limits with your Feishu tenant and OpenClaw configuration; (4) because there is no code to inspect, check how OpenClaw stores/uses Feishu tokens (so you understand where credentials live). Overall the skill is coherent and contains no obvious red flags.
Review Dimensions
- Purpose & Capability
- okName/description (send Feishu messages with text/media) matches the instructions: all examples call 'openclaw message send --channel feishu' and describe sending files from the OpenClaw workspace. Nothing requested appears unrelated to messaging.
- Instruction Scope
- okSKILL.md confines actions to copying files into ~/.openclaw/workspace and invoking the openclaw CLI. It does not instruct reading unrelated system files, exfiltrating data, or posting to unexpected endpoints. Examples and the Python snippet simply call the CLI.
- Install Mechanism
- okNo install spec or code is included; this instruction-only skill writes nothing to disk and does not download or install external packages.
- Credentials
- noteThe skill declares no required env vars or credentials. That is plausible because authentication appears delegated to the platform's OpenClaw CLI/config, but the SKILL.md does not say where Feishu credentials are stored or how they are provisioned — verify OpenClaw already has the appropriate Feishu app credentials or tokens before use.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It doesn't request persistent/system-wide privileges or attempt to modify other skills or global config.