Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and SKILL.md are coherent: the skill reads Feishu (Bitable) data and generates运营报告. However, the manifest declares no credentials or required env vars even though the SKILL.md explicitly says the app needs Bitable read permission. The missing declaration of how credentials are supplied is a gap (could be platform-provided connector or an omission).
Instruction Scope
SKILL.md narrowly instructs reading Bitable fields, computing metrics, and emitting a report; it does not ask to read unrelated files, environment variables, or to send data to arbitrary external endpoints. Scope is appropriate for the stated purpose.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes risk from downloads or arbitrary code execution.
Credentials
The skill requires Feishu Bitable access in practice, but the registry metadata lists no required env vars or primary credential. That mismatch could be benign if the platform supplies a connector, but it also could indicate the skill's author omitted needed declarations. Additionally, there is no publisher/homepage contact to validate intent.
Persistence & Privilege
always is false and the skill is user-invocable with normal model invocation. The skill does not request persistent system presence or modify other skills; no elevated privileges are declared.
What to consider before installing
This instruction-only skill appears to do what it says (read Feishu Bitable and generate a report) and has a small surface area, but you should verify how it will access your Feishu data before enabling it. Ask or check: (1) how are Feishu/Bitable credentials supplied—via a platform connector or environment variables? (2) what exact app scopes/permissions will be granted (limit to Bitable read only)? (3) where are generated reports stored or sent—are they kept locally in the agent, posted back to an external service, or emailed? (4) who published the skill (there's no homepage/contact)? If you can't confirm these, test with a non-sensitive/dummy Feishu table and least-privilege app credentials, or decline installation until the publisher provides contact and clear credential instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk979wj3qwxkb3sjjffxdg36y5n83esk8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.