Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Release Package
v1.0.0Feishu Bitable Storage Manager - Integrated tool for item storage, retrieval, and location updates
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Registry metadata and package name ('Release Package', slug 'release-package') do not match the embedded SKILL.md and code (a 'Storage Manager' for Feishu Bitable). Required runtime capability (Python3) matches, but the mismatch in naming/slug suggests packaging errors or possible misdirection.
Instruction Scope
SKILL.md and storage_manager.py expect and instruct use of Feishu app credentials (FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_TOKEN, FEISHU_TABLE_ID) and perform file reads (image upload) and outbound network calls to Feishu APIs. However the skill registry 'requires.env' lists no environment variables. The runtime instructions will therefore attempt to access secrets not declared in metadata — an incoherence and a potential surprise to users.
Install Mechanism
There is no platform install spec, but an included install.sh will install Python 'requests' (via pip3 if missing), make local files executable, create a symlink in ~/.local/bin, and write a config.example.env. No network downloads of archives or remote code are performed by the script, which reduces risk, but the script will modify user home (symlink and write file).
Credentials
The code requires Feishu API credentials and a table token to function, yet the skill declares no required environment variables or primary credential. test_basic.py sets example FEISHU_* environment variables (hard-coded sample-looking tokens) which is suspicious and may mislead users into thinking those are safe defaults. Requesting secrets for an external service without declaring them is disproportionate and opaque.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system-wide permissions, and does not modify other skills' configurations. The install script creates a user-local symlink and config example only; there is no evidence of privileged persistence.
What to consider before installing
This package implements a Feishu Bitable storage manager and will read local images and make outbound API calls to Feishu; it requires FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_TOKEN, and FEISHU_TABLE_ID to work, but the registry metadata does not declare those environment variables. Before installing: (1) Verify the publisher and canonical source (the registry shows 'unknown' source/homepage); (2) Inspect storage_manager.py and install.sh yourself — they will attempt network calls and create a ~/.local/bin symlink and a config example file; (3) Remove or verify the hard-coded example tokens used in test_basic.py and do not reuse them as real secrets; (4) If you proceed, create a Feishu app with minimal permissions and use scoped credentials; (5) Prefer running install/test in a sandbox/container first. The mismatch between the package name/slug and the contained skill is a red flag — treat this package cautiously unless you can confirm its origin.Like a lobster shell, security has layers — review code before you run it.
latestvk972gyx4n2kzf1v6ar7057ev5984t1wa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
box Clawdis
Binspython3