Skillv1.0.1

ClawScan security

Travel Customizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 7:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (Feishu Bitable travel planner) is plausible, but there are multiple mismatches between the documentation, runtime instructions, and shipped code—so review before installing.
Guidance: What to check before installing or enabling this skill: - Verify the upstream repository: confirm the GitHub URL in SKILL.md/README exists and that the code there matches the bundled code. The registry lists 'source: unknown' which reduces transparency. - Validate env var requirements: SKILL.md asks you to provide FEISHU_BASE_TOKEN, FEISHU_TABLE_ID, and (optionally) FEISHU_APP_ID/FEISHU_APP_SECRET, but the packaged code requires all four. Only provide App Secret if you trust the code and repository; prefer creating a Feishu app with the minimum required scopes and test with a throwaway account or test table. - Confirm claimed features vs implementation: README claims auto-deidentification and interactive confirmations; the shipped tools.py does not implement those. If you need those behaviors, request the author to provide matching code or patch the skill. - Protect PII: the tool transmits user name and phone to the Feishu table. If that is sensitive, verify privacy practices, or configure a test table that does not contain real customers before using with real data. - Least privilege: when creating the Feishu app, grant only the minimal bitable scopes required (e.g., record create) and avoid giving broader workspace credentials. Rotate secrets after testing. - If you lack confidence, run the skill in a restricted environment (sandbox/test workspace) and/or ask the maintainer for a signed/verified release or for the missing tool implementations (search/update/delete) before giving production credentials. Confidence would increase to benign if the publisher/source is verified, the registry env requirements are corrected to match runtime needs, and the repository code implements the declared tool functions and documented privacy safeguards.

Review Dimensions

Purpose & Capability: concernThe skill claims to integrate with Feishu Bitable (creating/updating/searching/deleting itineraries), and the code does contain Feishu API calls to create records — so the overall purpose is plausible. However, the registry metadata declares no required environment variables or primary credential while SKILL.md and tools.py require FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BASE_TOKEN, and FEISHU_TABLE_ID. That mismatch (registry says none required; runtime needs secrets) is an incoherence the user should be aware of.
Instruction Scope: concernSKILL.md lists four callable tools (create_itinerary, search_itinerary, update_itinerary, delete_itinerary) but the shipped Python module only exposes get_tenant_access_token and submit_to_feishu (a single 'submit' function). The instructions also state optional App ID/Secret, but the code requires them. The README promises features like 'automatic de-identification' and 'second confirmation' that are not implemented in the provided tools.py. This gap between runtime instructions and actual code is problematic.
Install Mechanism: noteThere is no explicit install spec in the registry (instruction-only), but README/SKILL.md point to a GitHub repo and suggest installing via ClawHub CLI from that repo. The lack of an install spec in the published package is not dangerous by itself, but you should verify the referenced GitHub repository (the registry 'source' is unknown) before installing from it.
Credentials: concernThe code legitimately needs Feishu credentials (App ID/Secret + base token + table id) to call the Feishu API — those are proportional to the stated task. However: (1) SKILL.md marks App ID/Secret as optional while tools.py treats them as required; (2) the function collects and transmits PII (name, phone) to the remote table with no implemented de-identification despite README claims. Requesting these credentials is expected, but the inconsistencies and PII handling are concerning.
Persistence & Privilege: okThe skill is not set to always:true, does not request system-wide configuration paths, and does not attempt to modify other skills' configs. It appears to run only when invoked.