ClawHub

Lark Suite Wiki

v1.0.0

Manage and export Lark Suite (Feishu) Wiki/Knowledge Base documents. Read, search, sync with subdocuments, and incremental export to local Markdown files.

1· 1.6k·5 current·5 all-time
byReed@reed1898
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, description, commands, and required env vars (LARK_APP_ID, LARK_APP_SECRET) align with a Lark Wiki export tool. However, the included Python file embeds fallback hardcoded credentials (app_id and app_secret) inside the code, which is not necessary for the stated purpose and contradicts the declared requirement to provide env vars.
!
Instruction Scope
SKILL.md instructs the agent/user to create a Lark app, set env vars, and authorize access — all appropriate. The runtime instructions and included code only call Lark/Open API endpoints and write exported Markdown and a local .lark-sync-state.json file. The problem: the code will silently use embedded default credentials if env vars are not set, which the instructions do not mention. There are no instructions to read unrelated system files or to contact third-party endpoints outside open.larksuite.com.
Install Mechanism
This is instruction-only with a Python script; there is no install spec, no downloads, and no archive extraction. Risk from installation is low because nothing is written by an automated installer beyond the user running the script.
!
Credentials
Only two environment variables are requested (LARK_APP_ID, LARK_APP_SECRET), which is proportionate for a Lark API client. However, the code includes hardcoded app_id and app_secret fallback values. Embedding credentials in the repository is unnecessary and may leak the maintainer's secret or cause the tool to operate under an unexpected identity if env vars are missing.
Persistence & Privilege
The skill does not request persistent platform-level privileges (always: false). It saves a local .lark-sync-state.json file for incremental sync, which is consistent with the stated behavior and scoped to the output directory. The skill does not modify other skills or system-wide agent configurations.
Scan Findings in Context
[hardcoded-credentials] unexpected: The file larksuite-wiki.py includes literal fallback values for app_id ('cli_a90f6c8bf8f8ded4') and app_secret ('xtSodRRMmiU1R4oikynlFbBoEu3T2Wgo'). Hardcoded credentials are not expected for a client that should use user-provided env vars.
What to consider before installing
This tool appears to do what it claims (export Lark/Feishu wiki content), but the shipped script contains embedded Lark app credentials as fallbacks. Before installing or running it: (1) Inspect the code and remove or replace embedded credentials; (2) do not rely on the defaults — set LARK_APP_ID and LARK_APP_SECRET in your environment with an app you control; (3) ensure the app has only the minimal read permissions and is authorized only to the docs you intend to export; (4) run the script in an isolated environment (non-production machine or container) the first time; (5) if you inadvertently used the embedded credentials with your data, consider whether you granted that app access and rotate any affected secrets or app authorizations. The presence of hardcoded secrets is a hygiene/security issue — treat it as suspicious rather than an outright sign of malicious intent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97beaztgt873fbzyc39aqbk6580mw7z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
EnvLARK_APP_ID, LARK_APP_SECRET
Primary envLARK_APP_ID

Comments