Back to skill
Skillv1.0.0
ClawScan security
飞书 SKILL · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 2:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only collection of Feishu (飞书) API documentation; its requirements and files align with the stated purpose and it does not request extra credentials or install code.
- Guidance
- This skill is a documentation bundle for Feishu APIs and appears coherent with that goal. It does not request credentials or install code. Before using it: (1) confirm you trust the publisher (homepage unknown, owner ID shown) — documentation is safe but provenance matters; (2) never paste real app_secret/user tokens into prompts or files you share; the included examples use placeholders; (3) when you follow the docs to call Feishu APIs, store real credentials in secure environment variables and grant only the least privilege scopes needed; (4) if you need stronger provenance, ask the publisher for a homepage or source repo link before installing.
Review Dimensions
- Purpose & Capability
- okName/description promise an authoritative Feishu API doc pack and the repository contains many Markdown API files under open-apis/ matching that purpose. The skill requests no unrelated binaries, env vars, or config paths.
- Instruction Scope
- okSKILL.md instructs the agent to collect/produce complete Feishu API docs into open-apis/ and enforces strict non-omission rules. It does not instruct reading arbitrary host files, accessing unrelated secrets, or sending data to unknown endpoints; links point to official Feishu docs.
- Install Mechanism
- okThere is no install spec and no code files to execute; this instruction-only skill has minimal disk/system footprint and low install risk.
- Credentials
- noteThe skill does not require any environment variables or credentials. SKILL.md sensibly advises storing app credentials in env/config when you use the APIs, but it does not request or read secrets itself. When you later use the documented API examples you will need tokens — those are outside the skill's own requirements.
- Persistence & Privilege
- okFlags show normal privileges (always:false, user-invocable:true, model invocation enabled). The skill does not request persistent system presence or modify other skills' configuration.