Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bot Roundtable
v1.0.0Enables multiple Bots in a Feishu group to spawn expert personas and hold realistic multi-Bot discussions automatically or on demand.
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (spawn multiple Feishu Bots) legitimately requires Feishu app_id/app_secret values and a config path; however the skill metadata declares no required environment variables or credentials. SKILL.md references config.json and also says Bot credentials are read from openclaw.json channels.feishu.accounts — a platform config path that was not declared. This lack of declared credentials is incoherent with the described functionality.
Instruction Scope
Runtime instructions tell the agent to run Python scripts (coordinator.py, feishu_sender.py), read config.json and openclaw.json for Bot credentials, and send messages as multiple bot identities. Those files are not actually included in the package. Instructions also direct reading the agent/platform config (openclaw.json), which is outside the skill's declared surface and could expose other accounts — this broad file access is a red flag.
Install Mechanism
There is no install spec (instruction-only), which is lower risk for arbitrary code installation. However package.json lists files (feishu_sender.py, coordinator.py, config.json) that are not present in the published bundle; that mismatch reduces confidence and suggests the SKILL.md was written for a different package layout.
Credentials
The skill declares no required env vars or primary credential, yet the instructions require app_id/app_secret for multiple bots and explicitly say bot credentials are read from openclaw.json. Requesting access to platform/agent config without declaring it is disproportionate and could enable exfiltration of unrelated credentials stored there.
Persistence & Privilege
always:false (no forced permanence) and normal autonomous invocation settings. Autonomous invocation combined with the skill's implied access to platform credentials (openclaw.json) increases risk, but persistence/privilege flags themselves are not elevated.
What to consider before installing
Do not install this skill yet. Ask the author for: (1) the missing Python files (coordinator.py, feishu_sender.py) and config.json so you can inspect their logic; (2) a clear list of every credential or config file the skill will read (it currently references openclaw.json but declares nothing); (3) confirmation of where openclaw.json lives and what other secrets it contains. Only proceed if the code is available for review and the skill limits itself to only the Feishu bot credentials it needs (and documents that). If you must test, run it in a tightly sandboxed environment with temporary Feishu test accounts (not production credentials).Like a lobster shell, security has layers — review code before you run it.
latestvk979snd7jpgvmrt2hkr667b55d84sfby
License
MIT-0
Free to use, modify, and redistribute. No attribution required.