ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Bot Manager

v0.0.1

交互式添加和管理多个飞书机器人账户,支持账户级和群聊级路由绑定指定 Agent 处理消息。

0· 181·0 current·0 all-time
by@twistedcz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code's behavior (adding Feishu accounts to ~/.openclaw/openclaw.json, creating backups, adding bindings, setting session.dmScope, and restarting the Gateway) matches the skill description. However, the skill metadata declares no required config paths while the code directly reads/writes $HOME/.openclaw/openclaw.json and ~$HOME/.openclaw/backups — this is an inconsistency. package.json lists an npm dependency on 'readline' (a Node builtin) which is unnecessary and unexpected.
Instruction Scope
SKILL.md instructions (interactive prompts and CLI flags for app id/secret, account id, agent id, routing mode) align with index.js. The runtime actions are limited to reading/writing the OpenClaw config and invoking the 'openclaw' CLI to set dmScope and restart the Gateway — all within the documented scope. The skill does not contact external endpoints or exfiltrate data, but it does persist secrets (appSecret) into the config file as expected for this purpose.
Install Mechanism
There is no install spec (instruction-only style), and code files are bundled. That lowers install risk compared with arbitrary downloads. Still, package.json contains an unnecessary external dependency ('readline') which is unusual and may confuse users or installers.
!
Credentials
The skill expects and manipulates the user's OpenClaw configuration file at ~/.openclaw/openclaw.json but the declared metadata lists no required config paths — the platform won't warn users that the skill will access and change a local config file. The skill legitimately asks for App ID and App Secret (needed for adding a bot) and writes them into the config; that is expected but sensitive. The included validator (lib/validator.js) contains a check that effectively requires binding.match.peer.id for all bindings, which contradicts account-level bindings described in documentation and may lead to false validation errors or confusion.
Persistence & Privilege
The skill is user-invocable and not always-enabled; it does not request persistent platform privileges. It will, however, run 'openclaw config set ...' and 'openclaw gateway restart' which modify runtime behavior and restart a service — appropriate for this tool but potentially disruptive; users should expect the Gateway restart side effects.
What to consider before installing
This skill appears to implement a Feishu bot account manager, but review a few issues before installing: - The code directly reads and writes your OpenClaw config file at ~/.openclaw/openclaw.json and creates backups under ~/.openclaw/backups. The skill metadata did not declare this config-path requirement, so the platform may not warn you. Make sure you have a current manual backup and test in a non-production environment first. - The skill will store the provided App Secret in your openclaw.json. Only provide secrets you are comfortable storing in that file and verify file permissions. - The script runs two CLI commands that affect the system: 'openclaw config set session.dmScope ...' and 'openclaw gateway restart'. Expect a Gateway restart (10–30s downtime). Ensure the 'openclaw' CLI is present and you accept the restart. - The bundled lib/validator.js contains a validation bug: it appears to require peer.id for bindings, which contradicts account-level bindings described in the documentation. This looks like a logic bug (not necessarily malicious) but could cause confusion or false rejections. - package.json lists an unnecessary external dependency ('readline'), which is odd and suggests the package.json was not carefully curated. Recommendations: inspect the code yourself (you can read index.js and lib/validator.js), ensure an up-to-date backup of ~/.openclaw/openclaw.json, run the tool in a safe/test instance first, and confirm you are comfortable with storing app secrets in the config. If the author updates metadata to declare the required config path and fixes the validator and package.json oddity, my assessment would be more favorable.
index.js:169
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2qans32kf815fbj45dwt01832xpx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments