ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-minutes

Fetch metadata, statistics, transcripts, and media files from Feishu Minutes using a provided meeting token.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 723 · 8 current installs · 8 all-time installs
by@autogame-17
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description claim to fetch Feishu Minutes using a meeting token, which is consistent with the code's API calls. However, the code also requires valid Feishu app credentials (app_id and app_secret) to obtain a tenant_access_token. The skill's metadata and SKILL.md do not declare that FEISHU_APP_ID / FEISHU_APP_SECRET or a config.json are required; that omission is an incoherence between stated purpose and actual requirements.
!
Instruction Scope
SKILL.md instructs only running the script with a minutes token and an optional --out but does not mention credentials, .env handling, or file paths. The runtime code (lib/auth.js) attempts to load .env files from multiple ancestor paths, reads a config.json if present, and writes/reads a token cache at '../../../memory/feishu_token.json' (outside the skill folder). These behaviors expand scope beyond what the documentation describes and could expose or reuse credentials unexpectedly.
Install Mechanism
No install spec; dependencies are standard npm packages (dotenv, node-fetch, yargs) listed in package.json/lockfile. There are no downloads from arbitrary URLs or extract steps. Nothing unusual in the install footprint.
!
Credentials
Registry metadata declares no required env vars, but the code requires FEISHU_APP_ID and FEISHU_APP_SECRET (via environment or config.json). Additionally, lib/auth.js will load .env from process.cwd() and parent directories, which can cause the skill to read unrelated secrets. The skill persists tenant tokens to a shared memory path, enabling cross-skill token reuse — this increases the scope of sensitive data accessed and stored.
Persistence & Privilege
always:false (normal). The code persists a tenant token to '../../../memory/feishu_token.json' and will read that cache on subsequent runs; this is persistent and shared by name (the author indicates it's 'Unified Token Cache'). Writing/reading that shared memory file is a persistent side-effect outside the skill folder and can affect other skills or reuse credentials. The skill does not modify other skills' configs or request always:true.
What to consider before installing
This skill looks functionally correct for downloading Feishu Minutes data, but the documentation fails to tell you it needs Feishu app credentials. Before installing or running it: (1) Verify the skill source/author; (2) supply FEISHU_APP_ID and FEISHU_APP_SECRET via environment variables or a config.json if you trust it; the code will also try to load any .env in the current or parent directories — avoid running it where other secrets live; (3) be aware it will persist a tenant token to memory/feishu_token.json (shared across skills) — if you don't want token reuse, remove or sandbox that file; (4) consider creating a dedicated Feishu app with minimal permissions for this use; (5) ask the publisher to update SKILL.md to declare required env vars and the token cache location or modify the code to only read declared env vars and write caches inside the skill-specific directory. If you cannot verify the author, run the skill in an isolated environment or inspect/modify lib/auth.js to remove ancestor .env loading and to control the cache path before using.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9766p2skhp3xx6ncq93p8mats816rhj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Minutes (妙记) Skill

Fetch info, stats, transcript, and media from Feishu Minutes.

Usage

node skills/feishu-minutes/index.js process <minutes_token> --out <output_dir>
  • <minutes_token>: The token from the Minutes URL (e.g., mmcn...).
  • --out: Optional output directory (defaults to memory/feishu_minutes/<token>).

Output

  • info.json: Basic metadata.
  • stats.json: View/Comment stats.
  • subtitle.json: Raw transcript data.
  • transcript.md: Readable transcript.
  • media.mp4: Video/Audio recording.

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…