ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content System Feishu Bitable Sync

v1.0.0

Sync a local `wechat-report` result into Feishu Bitable after the user has reviewed the report and confirmed the sync.

0· 77·1 current·1 all-time
by@abigale-cyber

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for abigale-cyber/content-system-feishu-bitable-sync.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Content System Feishu Bitable Sync" (abigale-cyber/content-system-feishu-bitable-sync) from ClawHub.
Skill page: https://clawhub.ai/abigale-cyber/content-system-feishu-bitable-sync
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install content-system-feishu-bitable-sync

ClawHub CLI

Package manager switcher

npx clawhub@latest install content-system-feishu-bitable-sync
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the stated purpose (reading local wechat-report JSON/MD and writing rows to Feishu Bitable). The required Feishu credentials (app id/secret, app token, table id) are appropriate for this integration. HOWEVER the registry metadata supplied with the skill declares no required environment variables or primary credential, which is inconsistent with the runtime and SKILL.md.
Instruction Scope
The runtime follows the documented flow: read the provided input file (markdown or JSON), optionally resolve a Raw JSON path referenced inside the markdown, obtain tenant/user tokens, and upsert records into Feishu. One noteworthy behavior: resolve_raw_payload_path will accept an absolute path parsed from the markdown and read it. That means a malicious or mistaken markdown input could cause the skill to read arbitrary local files referenced by the Raw JSON line. The skill also reads/writes token cache files and outputs under content-production/published as described — these are within the stated scope but should be noted.
Install Mechanism
This is instruction + runtime code only; there is no install spec that downloads arbitrary artifacts. No network install URLs or package downloads are present in the bundle, so install risk is low.
!
Credentials
The runtime (and SKILL.md/README) require FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID, which are proportionate for Feishu Bitale access. The concern is that the skill's registry metadata lists 'Required env vars: none' and 'Primary credential: none', which is incorrect and misleading — users may install without realizing they must provide sensitive app secrets. The runtime also uses cached user tokens (token cache files) which may contain sensitive tokens and should be stored/handled securely.
Persistence & Privilege
Flags show always=false and the skill does not request persistent platform privileges. It writes only to its own outputs (published CSV/MD) and token cache; there is no evidence it alters other skills or global agent settings.
What to consider before installing
This skill appears to legitimately sync local wechat-report data to Feishu Bitable, but beware: (1) the package metadata wrongly omits required environment variables — you must set FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID before running; (2) the skill will follow a 'Raw JSON:<path>' line in the input markdown and may read that absolute path from disk — only run it on trusted input in an isolated workspace; (3) it uses and caches user/tenant tokens locally (protect those files); and (4) if you need higher assurance, review the feishu_auth helper module (not included here) and inspect runtime.py end-to-end. If any of these are unacceptable, do not install or run the skill until the metadata and documentation are corrected and you’ve audited token handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk977cdzjx981etexwg8t0b4ged84cy07
77downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@abigale-cyber
latest
Download

feishu-bitable-sync

本 skill 不会自动触发,只有在用户明确确认“发送到飞书”后才运行。

支持输入:

  • content-production/inbox/YYYYMMDD-{slug}-wechat-report.md
  • content-production/inbox/raw/wechat-report/YYYY-MM-DD/{slug}.json

运行前需要配置环境变量:

  • FEISHU_APP_ID
  • FEISHU_APP_SECRET
  • FEISHU_BITABLE_APP_TOKEN
  • FEISHU_BITABLE_TABLE_ID
  • 可选:FEISHU_SYNC_AUTH_MODE,默认 user
  • 可选:FEISHU_OAUTH_REDIRECT_URI,默认 http://127.0.0.1:14578/callback

默认行为:

  • 优先读取本机缓存的飞书 user_access_token
  • 若还未授权,会落一份 auth_required 回执,并提示先运行 feishu-user-auth
  • 若 token 刷新失败或飞书写入失败,会额外导出 CSV 兜底文件

输出:

  • content-production/published/YYYYMMDD-{slug}-feishu-sync.md
  • 失败兜底时:content-production/published/YYYYMMDD-{slug}-feishu-import.csv

同步策略:

  • 每篇文章一行
  • 使用 source_url 去重
  • 重复同步会更新已有行,而不是重复新增

Comments

Loading comments...