Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-meeting-minutes
v1.2.0飞书会议纪要自动生成工具。从飞书妙记链接、minute token 或现成 transcript 文件生成结构化中文会议纪要,并可选导出 PDF、上传回飞书云空间。适用于用户提供飞书妙记链接要求整理会议纪要、要求将逐字稿转正式文档、或希望把会议录音对应 transcript 快速整理成可分发纪要的场景。
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Feishu meeting minutes) match the code and instructions: the script extracts a minute token or accepts a transcript, calls lark-cli to fetch artifacts/transcripts, summarizes text, renders Markdown, and optionally calls pandoc/xelatex and lark-cli to upload. No unrelated credentials or services are requested.
Instruction Scope
SKILL.md instructs the agent to run the included Node script which itself invokes external CLI tools (lark-cli, pandoc, xelatex). The script reads/writes files under an output/session directory and only references the transcript and metadata needed for summarization. Note: the script uses child process calls to run external CLIs (expected for this workflow). The instructions ask the user to authenticate lark-cli with several Feishu scopes — this is appropriate but grants lark-cli access to fetch minutes/transcripts and to upload files if --upload is used.
Install Mechanism
No install spec — instruction-only with a bundled Node script. No downloads from arbitrary URLs or archive extraction. The runtime relies on existing CLIs (node, lark-cli, pandoc, xelatex) which is proportionate to the described capabilities.
Credentials
The skill requests no environment variables or secret fields. Authentication is delegated to lark-cli (the SKILL.md shows the required Feishu scopes). This is proportional: network access and credentials are handled by the official CLI the user authorizes, not by hidden env variables inside the skill.
Persistence & Privilege
Skill is not always-enabled and does not attempt to modify other skills or system-wide settings. It creates and uses a per-session output directory as documented. Autonomous invocation (disable-model-invocation:false) is the platform default and not a standalone concern here.
Assessment
This skill appears to do what it claims: it runs a local Node script which calls lark-cli to fetch Feishu minute data and optionally uses pandoc/xelatex and lark-cli to produce and upload PDFs. Before installing or running: 1) review the bundled script (scripts/generate_minutes.mjs) yourself — it is included and readable; 2) only grant lark-cli the listed scopes if you trust that CLI and want it to fetch minutes and upload files; 3) if you are concerned about data exfiltration, avoid using --upload and prefer supplying a local transcript file instead of authorizing remote fetch; 4) run in a controlled directory and inspect generated artifacts before sharing; 5) if you need higher assurance, run the script in an isolated environment or container.scripts/generate_minutes.mjs:470
Shell command execution detected (child_process).
scripts/generate_minutes.mjs:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bda9f8j6x8mxnszx0bfehqd83zj8k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.