Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Bot
v1.0.0Feishu (Lark) Bot integration for messaging, group management, and approval workflows. Send messages, manage groups, handle approvals, and automate notificat...
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and feishu_bot.py both implement expected Feishu bot capabilities (messaging, group mgmt, approvals) and call the Feishu Open Platform endpoints. This capability matches the name/description. However, the registry metadata declares no required environment variables or primary credential even though the instructions and code require FEISHU_APP_ID and FEISHU_APP_SECRET.
Instruction Scope
The runtime instructions are scoped to Feishu API interactions: sending messages, uploading images, group and approval APIs. They instruct setting FEISHU_APP_ID/FEISHU_APP_SECRET and using the provided methods. The SKILL.md does not instruct reading unrelated system files or transmitting data to unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only plus a Python source file). This reduces install risk. However, the code imports the third-party 'requests' library but the skill does not declare dependencies; the runtime may fail or implicitly rely on a network-visible package being present in the environment.
Credentials
The SKILL.md and code expect FEISHU_APP_ID and FEISHU_APP_SECRET (sensitive credentials) which are appropriate for a Feishu integration. But the package metadata lists no required env vars or primary credential; that mismatch is concerning because the platform may not surface the credential requirement to you, and the skill will still attempt to read those env vars at runtime. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system config, and does not request elevated persistence. It runs as a normal, user-invocable skill.
What to consider before installing
This skill appears to be a straightforward Feishu (Lark) bot implementation, but there are a few things to check before installing:
- The SKILL.md and the Python code require FEISHU_APP_ID and FEISHU_APP_SECRET (sensitive API credentials). The registry metadata did not declare those env vars — confirm the owner will prompt for/provide these securely before enabling the skill.
- The code imports the 'requests' library but no dependency list or install steps are included. Ensure your environment will provide the required Python packages or that you trust the skill won't attempt to pull/install dependencies from untrusted sources.
- Review the code yourself (or ask the publisher) to ensure the FEISHU_APP_ID/SECRET are used only for legitimate Feishu API calls and not forwarded elsewhere. The current code only calls open.feishu.cn endpoints and a user-supplied webhook URL, but always verify the source of the skill and the maintainer's reputation.
- Be cautious if you plan to use upload_image or file-related methods: they will read local files (you must pass a path), so avoid passing sensitive local files.
If you don't trust the publisher or cannot verify how credentials are handled, do not install or provide credentials. If you proceed, supply credentials with least privilege possible (Feishu app scoped to only the permissions you need) and monitor token usage.Like a lobster shell, security has layers — review code before you run it.
latestvk973a1520wd0b88khtkke1rgas83dz5f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.