Skillv1.0.1

ClawScan security

破解飞书文档无法复制：完整复制技能 - 分块读取 + 分块写入，保持文字、表格、代码 100% 完整（图片除外） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 3:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (copying Feishu docs via the OpenClaw Feishu CLI); the only notable issue is it uses local CLI tools (openclaw, jq, bc) that are not listed in the declared requirements.
Guidance: This skill appears to do what it says: it copies a Feishu doc by calling the local OpenClaw Feishu CLI in chunks. Before use: ensure you have the right to copy the document (legal/ethical), confirm OpenClaw is installed and configured for Feishu (the script assumes OpenClaw CLI authentication is present), and install helper tools jq and bc if not present. Note it will create temporary files under /tmp and deletes them at the end; test the script with a non-sensitive document first. The skill does not request external secrets itself, but relying on a preconfigured OpenClaw means it will use whatever Feishu credentials the environment already holds—only install/use if you trust those credentials are appropriately scoped.

Review Dimensions

Purpose & Capability: noteThe name/description (copy Feishu doc into the same account) matches the included instructions and script: both repeatedly call an 'openclaw feishu' CLI to read/write doc chunks. However, the skill does not declare the actual runtime dependencies (it lists none), while the script and SKILL.md clearly require the OpenClaw Feishu channel/CLI and helper tools (jq, bc). This is a minor incoherence in declared requirements vs actual needs, not a mismatch in intent.
Instruction Scope: okSKILL.md and the provided shell script stay within the stated scope: they repeatedly fetch document chunks and append them to a new doc using the OpenClaw Feishu commands, store temporary files under /tmp, and delete them at the end. The instructions do not access unrelated system files, other credentials, or external endpoints beyond the OpenClaw/Feishu CLI. They also include rate-limit sleeps and verification steps.
Install Mechanism: okNo install spec is provided (instruction-only plus an included script), which is low-risk. Nothing is downloaded from external URLs or written into system-wide locations apart from a temporary directory under /tmp. The only install/availability requirement is that the environment has the expected CLI/tools available.
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with the design because it uses the local 'openclaw feishu' CLI to access Feishu. However, that implies the agent/system must already have OpenClaw configured with Feishu credentials; the skill does not make this explicit in requires.env. There are no additional unrelated credentials requested.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges, does not modify other skills or global agent config, and is not marked always:true. It performs only ephemeral work (temporary files under /tmp, removed at end).