ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-task-management-skill

v0.0.1

Manage Feishu tasks through a local Python toolkit that always has app credentials and can optionally act as a user for task APIs when OAuth user tokens are...

0· 203·0 current·0 all-time
by@_@@owrig
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and code align: this is a local Python toolkit for Feishu Task with appropriate endpoints and CLI scripts. However the registry metadata lists no required environment variables or primary credential even though the toolkit's AppConfig.load requires FEISHU_APP_ID and FEISHU_APP_SECRET (or a runtime.json). The included runtime.json contains apparent app_id, app_secret and a user_access_token, which the description implies but the metadata does not declare—this is an incoherence and a sensitive inclusion.
!
Instruction Scope
SKILL.md instructs the agent to run local scripts that read and write configuration and data files (runtime.json, member_aliases.json, feishu_members.json) and to prefer using configured tokens. Those file reads are reasonable for the stated purpose, but because the repository already contains runtime.json with credentials and member data, following the instructions can cause the agent to use or expose baked-in secrets and organization member info. The SKILL.md also includes a pre-scan prompt-injection signal (base64-block) that should be reviewed.
Install Mechanism
No install spec — instruction-only runtime and bundled Python scripts. Nothing is fetched from external URLs during install. The risk here is from included source and data files (credentials and member lists), not from third-party installers.
!
Credentials
The skill effectively requires app credentials and optionally user OAuth tokens to function, but the registry lists no required env vars or primary credential. The repo contains a runtime.json with an app_secret and a long user_access_token; bundling working credentials in the skill artifact is disproportionate and risky because it grants the skill immediate access to the Feishu APIs without asking the installer to supply their own credentials.
Persistence & Privilege
always:false and normal invocation settings are fine. However the bundled runtime.json provides persistent credentials inside the skill's files, enabling the skill to make authenticated API calls immediately and persistently from the local copy. This increases blast radius compared to a toolkit that required the user to supply credentials at runtime.
Scan Findings in Context
[base64-block] unexpected: The SKILL.md was flagged for a base64-block prompt-injection pattern. The visible SKILL.md content does not obviously contain a base64 block, but the scanner's signal suggests the file may include or previously included embedded data intended to influence an LLM. Review SKILL.md carefully for hidden/encoded blocks before installing.
What to consider before installing
What to consider before installing: - Do not assume the skill is harmless because it’s 'instruction-only' — this bundle includes code and a runtime.json file containing an app_id, app_secret, and a user_access_token. Those are effectively credentials that let the skill call Feishu APIs immediately. - The registry metadata incorrectly reports no required credentials, but the toolkit requires FEISHU_APP_ID and FEISHU_APP_SECRET (or a runtime.json). That mismatch is a red flag: verify who provided the embedded credentials and whether you trust them. - Actions you can take before installing: inspect toolkit/config/runtime.json yourself; if you plan to use the toolkit, delete or replace the bundled runtime.json and configure your own app credentials (prefer environment variables). Do not use the embedded app_secret or user token. Rotate any credentials if they are yours and were committed here by mistake. - If you must test the skill, run it in an isolated environment (sandbox or container) and avoid exposing real production credentials. Consider removing or sanitizing toolkit/data/feishu_members.json if it contains real user identifiers. - The pre-scan flagged a possible base64 prompt-injection pattern in SKILL.md; review the file for any hidden or encoded content and remove it if found. - If you cannot verify the origin of the embedded credentials or if they belong to someone else, do not install/use the skill. Prefer a version of the toolkit that requires the user to provide credentials interactively or via environment variables.

Like a lobster shell, security has layers — review code before you run it.

latestvk970gvrgse21qdmjwentqygped82pp7e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments