Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Geo Push Ops
v1.0.0Handles Feishu message construction, sending with retries, rate limit detection, delivery diagnostics, and dead-letter queue management for geo alerts.
⭐ 0· 41·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and code all implement Feishu message construction, retries, rate-limit handling and diagnostics as claimed. However, the module includes a hard-coded webhook URL in send_to_feishu's default FeishuConfig instead of requiring the caller to supply one or using a declared environment variable; that credential-like value is not surfaced in the skill metadata and is disproportionate to the declared 'no required env vars'.
Instruction Scope
SKILL.md instructs the agent to build messages and call the Python API; the instructions do not ask the agent to read arbitrary files, system configs, or unrelated credentials. The runtime code performs HTTP POSTs to the provided webhook and logs diagnostics, which is within the stated scope.
Install Mechanism
This is an instruction+code skill with no install spec — nothing is downloaded or installed by the skill itself. That lowers the install risk; dependencies are standard (requests) and optional project imports are declared in the README.
Credentials
The skill declares no required env vars or primary credential, but the code contains a hard-coded webhook URL (https://open.feishu.cn/open-apis/bot/v2/hook/cb9b2f26-c8be-483b-afca-2e4a59061e76). Embedding an endpoint like this is effectively shipping a credential/recipient in code and could cause messages (including potentially sensitive event text) to be sent to an external third party if the caller does not override the default. The SKILL.md shows an example webhook placeholder, so the hard-coded value is inconsistent with the documentation and metadata.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills' configs, and has no declared system-level privileges. Autonomous invocation is allowed by default but is not combined with other privilege/infiltration signals here.
What to consider before installing
This skill appears to do what it says (compose Feishu messages and retry on errors) but it includes a hard-coded Feishu webhook URL in the code. Before installing or using it: 1) Review and replace the hard-coded webhook with your own webhook or make sure callers always pass a webhook in FeishuConfig; do not rely on the embedded default. 2) Search the full file for any other hard-coded endpoints or secrets (the provided listing was truncated). 3) If you will send real event data, confirm the webhook recipient is under your control — otherwise messages (potentially containing sensitive content) could be forwarded to an external party. 4) Prefer configuring credentials via environment variables or injected config rather than embedded constants. 5) Run the module in a test environment and inspect outbound requests (or disable network) to verify behavior before deploying to production.Like a lobster shell, security has layers — review code before you run it.
latestvk9776pdqmx14bq7r59cdptqv3h83qnjc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.