Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-sheets-reader
v1.0.0飞书在线电子表格(Sheets)操作,包括创建、读取、写入、追加数据、管理工作表。 当用户提到飞书电子表格、在线表格、电子表格时使用(不是多维表格 Bitable)。 支持:创建表格、读写单元格、追加行、插入/删除行列、管理工作表。
⭐ 0· 119·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md, and included code all match a Feishu Sheets client (create/read/write/append/manage sheets). However the Python client requires FEISHU_APP_ID and FEISHU_APP_SECRET environment variables for tenant access token, while the registry metadata lists no required env vars and SKILL.md does not document these credentials. This is an incoherence between claimed requirements and actual capability.
Instruction Scope
SKILL.md describes actions and how to form action JSON/CLI calls but does not instruct the agent or user to provide the FEISHU_APP_ID/FEISHU_APP_SECRET or how to obtain an app credential. The runtime code relies on those env vars and makes network calls to open.feishu.cn only (expected), but the missing documentation of required secrets and runtime environment is a scope and operational gap.
Install Mechanism
There is no install spec (instruction-only skill with a bundled script). No external downloads or archive extraction occur. The included Python script uses the standard requests library and performs HTTP calls; nothing in the manifest installs arbitrary third-party code at runtime.
Credentials
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET (app credentials) to obtain a tenant_access_token, but the registry metadata declares no required env vars or primary credential. The SKILL.md lists API permission scopes (sheets:spreadsheet, sheets:spreadsheet:readonly, drive:drive), which align with functionality, but the omission of explicit credential requirements in metadata is disproportionate and could mislead users about what secrets they must provide.
Persistence & Privilege
The skill is not always-enabled and does not request permanent platform-level privileges. It does make network calls with app credentials when invoked, and can be invoked autonomously (platform default) — which increases impact if credentials are misused, but autonomous invocation alone is not a disqualifying issue.
What to consider before installing
This skill implements a Feishu Sheets client but fails to declare that it needs FEISHU_APP_ID and FEISHU_APP_SECRET. Before installing, verify and consider: 1) Provide an app credential with least privilege (create a dedicated Feishu app/service account and grant only the listed scopes). 2) Confirm you trust the skill owner/source (source/homepage are unknown). 3) Ensure credentials are stored securely and rotate them if needed. 4) Inspect the included scripts yourself (the provided Python file calls only open.feishu.cn endpoints). 5) If you cannot verify the app credentials or owner, avoid installing or run it in an isolated environment. If you proceed, update the skill metadata or SKILL.md to explicitly document the required FEISHU_APP_ID and FEISHU_APP_SECRET so users are not surprised.Like a lobster shell, security has layers — review code before you run it.
latestvk978zac3f54rmhdmrvmr9f5seh83927f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.