ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

定时任务投递skill

v1.0.0

设置飞书定时任务投递,确保 cron 任务能稳定地将结果发送到飞书。当需要创建、修复或调试飞书频道的定时任务时使用此技能,特别是当 cron 任务执行成功但消息无法投递到飞书时。

0· 111·0 current·0 all-time
by@nicccmy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly relies on the openclaw CLI (commands like `openclaw cron add`, `openclaw cron run`) and on reading ~/.openclaw/openclaw.json to find Feishu account IDs. However, the registry metadata lists no required binaries and no required config paths. Requiring the user's OpenClaw configuration and CLI is reasonable for the described task, but those requirements are not declared — a mismatch.
!
Instruction Scope
Instructions explicitly tell the agent/operator to read ~/.openclaw/openclaw.json (via cat|grep) and to run openclaw cron commands. Reading the user's OpenClaw config is within the task scope (to find account IDs), but it accesses a user config file that may contain credentials or secrets. The skill does not limit or document what keys/fields will be read or how sensitive data is handled.
Install Mechanism
This is instruction-only with no install spec and no code files, which is the lowest install risk. Nothing will be downloaded or written by an installer step.
!
Credentials
No env vars or primary credential are declared, yet the runtime instructions require access to the user's OpenClaw config file (likely containing Feishu account configuration and possibly tokens). The skill therefore implicitly expects access to secrets without declaring them.
Persistence & Privilege
always:false and no install behavior; the skill does not request persistent/global agent privileges or modify other skills. Autonomous invocation is allowed by default but not exceptional here.
What to consider before installing
Before installing or enabling this skill: (1) Understand it expects the openclaw CLI to be available and will ask you to inspect/use ~/.openclaw/openclaw.json to find account IDs — that file can contain credentials/tokens. (2) If you plan to let the agent run these commands automatically, confirm you’re comfortable granting it read access to your home OpenClaw config and the ability to run openclaw commands. (3) If you prefer caution, manually run the provided commands yourself (inspect openclaw.json first) or update the skill metadata to explicitly declare the required binary and config path so you can audit it. (4) Consider limiting exposure by using a dedicated account/key with minimal scope for cron deliveries, and back up any sensitive config before allowing automated access.

Like a lobster shell, security has layers — review code before you run it.

latestvk972e0fx60pm3024zd8r0p75b5838nac

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments