Back to skill
Skillv1.0.0
ClawScan security
travel-customizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:17 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, instructions, and required configuration consistently match its stated purpose of collecting travel requests and submitting them to a Feishu (飞书) Bitable table.
- Guidance
- This skill appears coherent and implements exactly what it claims: collecting travel requirements and posting them to a Feishu Bitable. Before installing, confirm you trust the destination Feishu workspace and administrator because users' full contact info (phone numbers, names, and any other details provided) will be transmitted to that table even though phone numbers are masked in the chat UI. Ensure the Feishu app has only the minimal permissions needed (bitable:app, base:record:create), rotate the App Secret if you stop using the skill, and review audit logs in your Feishu tenant to monitor submissions. Also verify that the agent implementation you run enforces the SKILL.md's required confirmation step (only submit after explicit user confirmation).
Review Dimensions
- Purpose & Capability
- okName/description (travel request collection + submit to Feishu) align with required environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BASE_TOKEN, FEISHU_TABLE_ID) and the tool implementation which calls Feishu APIs.
- Instruction Scope
- okSKILL.md specifies conversational data collection, user confirmation before submission, and masking phone numbers in chat. The tool only performs the expected actions (fetch token, create a bitable record). Note: the phone number is masked in chat but the full number is sent to Feishu when submitting.
- Install Mechanism
- okInstruction-only skill with a small Python helper and a single dependency (requests). There is no install script or external download; nothing writes arbitrary code to disk beyond the provided files.
- Credentials
- okRequested environment variables are exactly the Feishu credentials/tokens required to call the described APIs. No unrelated secrets, config paths, or extra credentials are requested.
- Persistence & Privilege
- okSkill does not force persistent inclusion (always:false). It does allow normal autonomous invocation (platform default) but the SKILL.md enforces explicit user confirmation before any external submission.