ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ri

v1.0.0

Feishu document read/write operations. Activate when user mentions Feishu docs, cloud docs, or docx links.

0· 184·0 current·0 all-time
by@kari-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and instructions focus on Feishu doc read/write operations and the included block-types reference supports that. However, the SKILL.md advertises actions to 'create_table' and 'create_table_with_values' while the references/block-types.md explicitly states table blocks cannot be created via the API (error 1770029). That is a direct capability contradiction and should be clarified.
Instruction Scope
Instructions remain within the scope of manipulating Feishu documents (read, list blocks, update, upload images/files). They do assume access to inbound metadata (sender_id → owner_open_id) and to local filesystem paths (e.g., /tmp/image.png) for uploads; those are not declared but are reasonable platform assumptions — still, they should be documented (how the agent obtains auth and file access).
Install Mechanism
Instruction-only skill with no install spec, no binaries, and no code files — lowest install risk.
Credentials
No environment variables or credentials are declared, but the SKILL.md lists required Feishu scopes (docx:document, docx:document:readonly, docx:document.block:convert, drive:drive). The skill does not document how authentication tokens are supplied (app token, user token, or platform-provided context), which is important to confirm. It also expects access to inbound metadata (sender_id).
Persistence & Privilege
Skill is not forced-always, and does not request persistent system-level privileges. Autonomous invocation is enabled by default (normal).
What to consider before installing
This instruction-only Feishu document tool is generally coherent, but verify a few things before installing: 1) Clarify how the skill authenticates to Feishu (what token or platform-provided credential will be used) and ensure the required Feishu app scopes are appropriate. 2) Ask the publisher to explain the contradiction about table creation — the reference file says tables cannot be created via the API while the SKILL.md provides create_table actions. 3) Confirm whether the agent will be granted access to local files you might upload (e.g., /tmp/image.png) and that you’re comfortable exposing those files. 4) Test on non-sensitive documents first. If the publisher cannot explain the table-creation discrepancy or the auth model, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eq3ae9h3cd68a0efkgajp7982vems

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments