feishu-team-manager
Security checks across malware telemetry and agentic risk
Overview
This skill matches its stated Feishu/Discord team-management purpose, but it warrants Review because it encourages bypassing install warnings and can make persistent, broad changes to your OpenClaw agent routing.
Install only if you are comfortable with this skill modifying ~/.openclaw/openclaw.json, creating persistent agent workspaces, copying itself into an HR workspace, and configuring bot routing. Do not use --force just because the docs say warnings are normal; first review the source, back up OpenClaw config, keep bot tokens in environment variables, and restrict Discord/Feishu sender access instead of using open or wildcard defaults.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may override installation warnings for a skill that can run local commands and change agent routing/configuration without doing an independent review.
The user-facing guide tells users to treat security warnings as normal and bypass them with --force; the registry also lists source as unknown/homepage none, so the open-source reassurance is not evidenced by the supplied metadata.
如果遇到安全警告(正常现象),使用强制安装 clawhub install feishu-team-manager --force 技能可能被VirusTotal标记为"可疑"...这是正常现象,技能代码已开源可审查。
Do not present force-install as the normal path. Provide a verifiable source repository, explain the exact risks, and advise users to review warnings before using --force.
Anyone who can reach the configured bot may be able to interact with routed agents unless the user separately constrains Discord/Feishu access.
The generated Discord channel configuration allows open direct-message behavior and all senders by default, which is broad for a bot that routes messages into OpenClaw agents.
"accounts": {
"default": {
"dmPolicy": "open",
"allowFrom": ["*"]
}
}Default to explicit allowlists for user IDs/server IDs, document the exposure clearly, and require users to opt in before enabling open DM or wildcard sender policies.
Unexpected path values or shell metacharacters could cause unintended file changes or command behavior, and the commands can materially alter the local OpenClaw environment.
The skill shell-executes recursive delete/copy and OpenClaw agent-registration commands using interpolated paths; this is central to the purpose but high-impact and not safely argument-quoted.
execSync(`rm -rf ${targetSkillPath}`);
execSync(`cp -r ${skillSourcePath}/* ${targetSkillPath}/`);
execSync(`openclaw agents add hr_recruiter --workspace ${hrWorkspace}`);Use safer filesystem APIs or spawn/execFile with argument arrays, quote and validate all paths, and show a dry-run/confirmation before recursive deletion or agent registration.
Changes to this skill can be propagated into another agent workspace automatically, making it harder for users to understand or contain where the skill is active.
After the HR agent exists, the main-agent path automatically copies the skill into the HR workspace without a per-sync confirmation, creating persistent cross-agent propagation.
const targetSkillPath = path.join(hrWorkspace, 'skills/feishu-team-manager');
execSync(`cp -r ${skillSourcePath}/* ${targetSkillPath}/`);
console.log("✅ 技能文件已同步至 HR 空间。");Make cross-workspace synchronization opt-in, log exactly what was copied, provide a clear disable/uninstall path, and require confirmation before syncing executable skill files.