Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Sheet
v1.2.0飞书电子表格(Sheets)完整操作。当需要创建、读取或编辑飞书电子表格时激活此 skill。 支持:创建表格、读写单元格、追加数据、图片插入、样式设置、合并单元格、行列操作、查找替换。 需要飞书应用凭证:channels.feishu.appId 和 channels.feishu.appSecret(配置在...
⭐ 0· 600·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Feishu Sheets) align with the included script and SKILL.md. The skill asks for Feishu app credentials and uses Feishu Open API endpoints (open.feishu.cn) to create/read/write spreadsheets, images, styles, etc., which is appropriate for the stated functionality.
Instruction Scope
SKILL.md instructs the agent to exec the included script to perform sheet operations and documents required inputs. The runtime script reads credentials from ~/.openclaw/openclaw.json and local image files only when image insertion commands are used. There are no instructions to read unrelated files, scan system state beyond token caching, or post data to endpoints other than Feishu APIs.
Install Mechanism
No install spec — the skill is instruction+script only. The script relies on standard tools (curl, python3, bash) that are declared as dependencies. No external downloads or archive extraction are performed by an installer.
Credentials
The skill legitimately needs channels.feishu.appId and channels.feishu.appSecret (stored in ~/.openclaw/openclaw.json) to call Feishu APIs. Minor inconsistency: registry metadata listed no required env vars/primary credential, while SKILL.md clearly documents required Feishu credentials in the config file. The script also uses TMPDIR/OPENCLAW_CONFIG optionally; these are reasonable and documented.
Persistence & Privilege
always:false and normal autonomous invocation settings. The script caches tenant tokens to a per-user file in $TMPDIR (no system-wide or cross-skill config modifications). It does not request persistent, global privileges or modify other skills.
Assessment
This skill appears to do exactly what it claims: interact with Feishu Sheets using a local script and your Feishu app credentials stored in ~/.openclaw/openclaw.json (or via OPENCLAW_CONFIG). Before installing: 1) ensure you trust the skill source (scripts are included and executable); 2) create a Feishu app with minimal permissions (only sheets:spreadsheet) and use those appId/appSecret values; 3) keep the config file protected (it contains app secrets); 4) note that the skill will read local image files only when you invoke image commands and caches tenant tokens in your temporary directory. If you need higher assurance, inspect the full script (provided) or run the skill in an isolated environment/account.Like a lobster shell, security has layers — review code before you run it.
latestvk97772gq2fhwaz6nqc3srzv9yh82xg3b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.