ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Automation

v1.0.0

Advanced automation workflows for Feishu (Lark) productivity suite. Use when you need to automate document workflows, sync data across Feishu apps, generate...

2· 616·10 current·10 all-time
byHellen@hejk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name and description match the included scripts, templates, and reference docs (batch updates, bitable→doc, wiki backup, migrations). The provided code and SKILL.md consistently target Feishu tools and tokens (doc/wiki/bitable/drive). There are no unrelated services or unexpected binaries required by the skill itself.
Instruction Scope
SKILL.md instructs the agent to use OpenClaw's Feishu integration and the included scripts for Feishu operations. The instructions and scripts focus on reading/writing Feishu documents, bitables, wikis and drive; they do not instruct reading arbitrary system files or exfiltrating data to unknown endpoints. The scripts use placeholders/comments for actual tool calls (exec/tool call) rather than embedding hidden network calls.
Install Mechanism
No install spec is present (instruction-only with bundled scripts). No network download/install steps are defined, and all code is included in the package. This is the lowest-risk install model.
Credentials
Registry metadata declares no required env vars, but the sample_config.yaml and scripts clearly expect Feishu credentials/app tokens and optional integration keys (slack webhook, SMTP, webhook secrets). This is expected for a Feishu automation skill, but the metadata omission means the skill manifest doesn't explicitly list the sensitive values you will need to supply. Users should assume Feishu app_id/app_secret or per-operation app-token values are required at runtime.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence or modify other skills. It writes/read local config/log/backup paths per sample_config (standard for automation tools) but does not attempt privileged system changes.
Assessment
This package appears coherent for Feishu automation, but review and take these precautions before enabling it: 1) Prepare a Feishu app with only the minimal scopes required (least privilege) and supply credentials securely (environment variables or secret manager), not committed config files. 2) The skill manifest lists no required env vars, yet sample_config.yaml shows app_id/app_secret, app_tokens, webhook URLs and SMTP credentials—expect to provide those at runtime. 3) Inspect and replace any placeholder webhook/SMTP URLs and secrets; verify external webhook endpoints are trusted before enabling notifications. 4) Run scripts in dry-run mode first (many have --dry-run) and test in a limited sandbox folder/space. 5) Check logging/backup paths and retention (logs/feishu_automation.log, backups/) and ensure sensitive tokens are masked in logs. 6) If you want stricter control, restrict allowed_users/allowed_ips in config and avoid storing long-lived credentials in repo. Overall this skill is consistent with its description but requires normal security hygiene around Feishu credentials and any external webhooks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f16y4y0hpjjk1qazhc9mhc581gvex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments