Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Meeting Reminder
v1.0.0飞书会议自动提醒 - 会议前自动提醒参会人员,避免错过重要会议。 **功能**: - 会议开始前 N 分钟自动提醒参会人 - 支持设置重复提醒规则 - 自动创建飞书日程并设置提醒 - 支持查看即将到来的会议列表 **触发条件**: - 用户提到"会议提醒"、"会议通知"、"开会提醒"、"提醒参会" - 用户要求创...
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes creating events, adding attendees, and sending reminders via Feishu (references a feishu_calendar_event tool). Yet the skill declares no required environment variables, credentials, or config paths. Real Feishu API calls normally require app credentials/access tokens and explicit scopes; those are absent here, so it's unclear how the claimed functionality would be performed.
Instruction Scope
Instructions show JSON payloads and require user_open_id from message context, but do not specify any authentication flow, token acquisition/refresh, or where notifications are delivered. The doc assumes access to a feishu_calendar_event tool and message context but gives no runtime constraints, error handling, or limits on what user data (attendee IDs) may be read/transmitted.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing will be written to disk by the skill itself. That minimizes install-time risk.
Credentials
The skill declares zero required environment variables or primary credentials despite needing to operate against Feishu APIs and potentially send notifications to users. This is disproportionate and ambiguous: either the platform provides Feishu access implicitly (not declared), or the skill omitted necessary credential requirements.
Persistence & Privilege
always is false and there is no indication the skill requests permanent system-level presence or modifies other skills. No elevated persistence/privileges are requested.
What to consider before installing
Before installing, ask the publisher how the skill authenticates to Feishu and what credentials/scopes it needs. Confirm whether the platform will provide a Feishu integration (and what scopes it grants) or whether you'll need to supply app_id/app_secret/access_token — and insist on least-privilege (calendar/event + notification scopes only). Verify where reminders are delivered (in-app message, push, email, SMS) and what user data (open IDs, attendee emails) will be read or stored. Because the skill's instructions reference creating events and notifying attendees but declare no credentials, treat this as incomplete: test with a non-production/dummy account and require the author to document the auth flow and data handling before granting access or supplying any secrets.Like a lobster shell, security has layers — review code before you run it.
automationvk97as72xbp8thdrp1eexj65x5583zzh4feishuvk97as72xbp8thdrp1eexj65x5583zzh4latestvk97as72xbp8thdrp1eexj65x5583zzh4meetingvk97as72xbp8thdrp1eexj65x5583zzh4remindervk97as72xbp8thdrp1eexj65x5583zzh4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.