Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
飞书转发消息读取器
v1.1.0读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。
⭐ 0· 428·0 current·0 all-time
by@konce
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and included scripts consistently implement a Feishu 'merge_forward' message reader that calls Feishu APIs to fetch and parse sub-messages. The required operations (requesting tenant token, calling im/v1/messages, optional contact user lookup) align with the described purpose.
Instruction Scope
Runtime instructions and scripts only call Feishu endpoints and optionally read ~/.openclaw/openclaw.json for credentials. This is within scope, but note the script will (optionally) call the contact API to resolve user names and will read the user's OpenClaw config file if present.
Install Mechanism
No install spec or external downloads; the skill is instruction-only plus two small scripts bundled in the skill. Nothing is written to disk by an installer beyond the included files.
Credentials
Registry metadata lists no required environment variables, yet both SKILL.md and the scripts accept/require FEISHU_APP_ID and FEISHU_APP_SECRET (or reading these from ~/.openclaw/openclaw.json). That's an inconsistency the publisher should clarify. The requested credentials are proportional to the task, but the mismatch in declared requirements is a red flag. Also the scripts will use the token to call contact API (contact:contact.base:readonly) if username resolution is enabled.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It only reads a user config file (~/.openclaw/openclaw.json) when present and uses network calls to Feishu endpoints.
What to consider before installing
This skill appears to do what it says: fetch and format Feishu merged/forwarded messages. Before installing, verify the following: 1) The publisher's metadata is inconsistent — the scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (or an OpenClaw config) even though the registry lists no env vars; confirm you are comfortable providing those credentials. 2) Prefer creating a dedicated Feishu app with minimal scopes (im:message:readonly and optionally contact:contact.base:readonly) rather than using high-privilege credentials. 3) The scripts will read ~/.openclaw/openclaw.json if present — check that file's contents and ensure you trust the skill to access it. 4) The code only contacts open.feishu.cn endpoints; if you see other outbound destinations in a future version, treat that as a serious red flag. If you need higher assurance, ask the publisher to update the registry metadata to declare the required env vars and to provide provenance (homepage or source repo) so you can audit the code yourself.Like a lobster shell, security has layers — review code before you run it.
latestvk973mse4jyvqtgm02j4jyeezgx81vc2v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.