Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Reaction

v1.1.0

Add or remove emoji reactions on Feishu (Lark) messages, and respond to user reactions. Use when the user asks to react to a message, add an emoji/expression...

0· 369·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included script all align: the skill adds/removes reactions via Feishu APIs using an app's credentials. No unrelated services or binaries are requested.
Instruction Scope
Runtime instructions and the script only perform operations needed to add/remove reactions (read openclaw.json, get tenant token, call Feishu reaction endpoints). They do not call other external endpoints or read unrelated system paths.
Install Mechanism
No install spec (instruction-only with an included shell script). Nothing is downloaded or written by an installer — risk from install mechanism is low.
!
Credentials
The script reads openclaw.json (APP_ID and APP_SECRET) from $OPENCLAW_CONFIG or $HOME/.openclaw/openclaw.json, but the registry metadata declared no required config paths or primary credential. That mismatch (missing declaration of required config/credentials) is disproportionate and should be fixed or justified. Also note openclaw.json may contain other sensitive values; the script reads the file directly.
Persistence & Privilege
Skill is not always-on, does not request persistent system modifications, and does not modify other skills' configs. It runs on demand via the script.
What to consider before installing
This skill's functionality is coherent, but it quietly reads your OpenClaw config file to get the Feishu appId/appSecret even though the registry metadata didn't declare that requirement. Before installing: (1) verify you want this skill to access $HOME/.openclaw/openclaw.json (or set OPENCLAW_CONFIG to a safe location); (2) inspect openclaw.json to ensure it does not expose unrelated secrets; (3) confirm the Feishu app has only the minimum permissions (im:message:reaction) and that you trust the app credentials will be used only to call open.feishu.cn; (4) if you need stronger guarantees, request the skill owner to declare the required config path/credentials in the metadata and to prefer explicit env vars rather than reading broad config files; and (5) consider running the skill in a restricted/sandboxed environment or review network traffic to confirm no unexpected endpoints are contacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0jn8bvw83s0rckmp69n42n82942v
369downloads
0stars
2versions
Updated 11h ago
v1.1.0
MIT-0

Feishu Reaction

Add/remove emoji reactions on Feishu messages via API. Enables richer, more playful interactions beyond text.

Usage

# Add reaction
bash scripts/feishu-reaction.sh <message_id> <emoji_type>

# Remove reaction
bash scripts/feishu-reaction.sh <message_id> <emoji_type> remove

Resolve scripts/feishu-reaction.sh relative to this skill's directory.

Getting message_id

The message_id comes from inbound message metadata (e.g., om_x100b554e82c620a4c...). Use the current message's message_id from conversation context.

Behavior Guide

Proactive reactions to user messages

React to user messages naturally, like a human would:

  • User says something nice → HEART, THUMBSUP, or YEAH
  • User shares good news → PARTY, FIREWORKS, or CLAP
  • User asks for help → OK (then reply with text)
  • User sends something funny → SMILE or WITTY

Don't overdo it — not every message needs a reaction. Use when it adds warmth without cluttering.

Responding to user reactions

When a user reacts to your message with an emoji, respond appropriately:

Positive/neutral reactions (HEART, THUMBSUP, YEAH, GoGoGo, FISTBUMP, PARTY, CLAP, SMILE, WOW, SaluteFace, WINK, GLANCE, etc.): → React back with a complementary emoji. No text reply needed.

Negative/questioning reactions (ANGRY, SPEECHLESS, FACEPALM, CRY, TERROR, SWEAT, WHAT, etc.): → React back with a caring emoji (HUG, HEART) AND follow up with a text message asking what's wrong.

Choosing reaction emojis

Pick reactions that feel natural and varied — don't always use the same one. Match the energy:

  • They send ❤️ → reply with 🤗 or ❤️
  • They send 💪 → reply with 🔥 or 💪
  • They send 👀 → reply with 😉

Available Emoji Types

Common: THUMBSUP, SMILE, OK, HEART, LOVE, THANKS, YEAH, AWESOME, PARTY, CLAP, APPLAUSE

Emotions: CRY, ANGRY, SHY, BLUSH, SPEECHLESS, TERROR, WOW, FACEPALM, SWEAT, PROUD, OBSESSED

Actions: WAVE, HUG, KISS, WINK, TONGUE, MUSCLE, SALUTE

Objects: FIRE, BEER, CAKE, GIFT, ROSE, FIREWORKS

Other: WITTY, JIAYI

Prerequisites

  • Feishu channel configured in OpenClaw (openclaw.json has channels.feishu.appId and appSecret)
  • App has im:message:reaction permission (飞书开放平台 → 应用权限 → 消息与群组 → 表情回复)

Examples

React with thumbs up to acknowledge a message:

bash scripts/feishu-reaction.sh "om_xxx" "THUMBSUP"

React with heart to show appreciation:

bash scripts/feishu-reaction.sh "om_xxx" "HEART"

Remove a reaction:

bash scripts/feishu-reaction.sh "om_xxx" "THUMBSUP" remove

Comments

Loading comments...