Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is described as a Feishu bot/agent binder and the code implements that by editing ~/.openclaw/openclaw.json and restarting the OpenClaw gateway — that is consistent. However the package metadata/registry claims no required binaries while the code calls the 'openclaw' CLI (openclaw config set ... and openclaw gateway restart). The skill should have declared 'openclaw' as a required binary. Also package.json lists an external dependency 'readline' (unnecessary because Node provides a builtin 'readline'), which is odd and could pull an unrelated npm package if someone runs npm install.
Instruction Scope
SKILL.md describes interactive and CLI flows to add App ID/App Secret and configure routing; index.js implements those flows and performs the stated steps (backup, modify channels.feishu.accounts, add bindings, set session.dmScope, restart gateway). A minor logic/validation mismatch exists: lib/validator.js flags missing binding.match.peer.id even for account-level bindings (this will cause false validation errors for legitimate account-level bindings). The skill does write App Secret into openclaw.json (expected for service credentials) and uses HOME to locate the config.
Install Mechanism
There is no install spec (instruction-only is lower risk). However the repository includes a package.json that declares an external dependency ('readline') which is unnecessary and suspiciously sloppy — if a user runs npm install in this package it could fetch a third-party package. No remote downloads or extract steps are present in the skill itself.
Credentials
The skill does not request additional environment credentials. It expects to read/write the user's OpenClaw config at ~/.openclaw/openclaw.json (uses process.env.HOME) and requires the user to supply Feishu App ID and App Secret, which is proportionate for adding a bot account. It stores appSecret in the config file in plaintext (typical but sensitive).
Persistence & Privilege
The skill is not always-enabled and does not request platform-level persistent privileges. It will create backups and modify the user's OpenClaw configuration and restart the gateway — actions that are necessary for its function but also have real impact. This modification of a system config file is within the skill's claimed scope.
What to consider before installing
What to consider before installing/using this skill:
- The skill will read and overwrite your OpenClaw configuration at ~/.openclaw/openclaw.json and restart the OpenClaw gateway. Back up that file before running the tool.
- You will need to provide Feishu App ID and App Secret; those secrets will be written into openclaw.json in plaintext. Make sure you are comfortable storing them there.
- The code calls the 'openclaw' CLI but the skill metadata does not declare that binary as required — ensure the 'openclaw' command exists and is the legitimate OpenClaw CLI on your system.
- package.json declares an external 'readline' dependency even though Node has a builtin module named readline; do NOT run npm install blindly in this package without auditing the dependency, as it could pull a third-party package.
- There's a validation bug in lib/validator.js that may incorrectly require peer.id on bindings (could produce confusing validation errors for account-level bindings).
- Review the source (index.js) yourself if possible. The code does not exfiltrate data or contact remote endpoints, but it does perform file writes and run local commands (openclaw). If you accept its actions (editing config and restarting gateway), the code appears to implement that behavior.
- If you are unsure, run the script in a safe/test environment first or manually make the config changes following the SKILL.md steps instead of running code from an untrusted package.index.js:169
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974y7mwcdckqhhrt3npnpph6x84b0h5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.