Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu File Renamer
v1.0.0批量恢复和重命名飞书机器人下载的哈希文件名,支持群聊、云文档及多维表格映射,自动冲突处理和日志记录。
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The README and SKILL.md state Feishu message/cloud-document and 多维表格 (Bitable) integration and show command flags like --message-id and --bitable APP_TOKEN. The actual TypeScript code only parses a provided message string and performs local filesystem renames; there are no HTTP calls, no SDK usage, and the package requests no environment variables or credentials. This mismatch suggests either incomplete implementation or misleading documentation: the skill claims cloud integration but does not require or use the tokens that such integration would need.
Instruction Scope
SKILL.md instructs users to invoke the skill with message-id, APP_TOKEN, and to read mappings from Feishu messages or a table. The runtime instructions imply the agent will fetch message contents and table rows. The handler function handleFeishuFileRenamer expects a message string argument (already containing the message text) and never fetches remote data; there are no instructions or code to obtain messages by ID or to call Bitable APIs. Additionally, SKILL.md suggests automatic processing of cloud attachments, but code only renames local files referenced by mappings (and mappings produced by regex extraction).
Install Mechanism
No install spec is provided; this is effectively instruction+source code only. Nothing is downloaded or installed at runtime by an external URL or package manager. That reduces supply-chain risk for installation.
Credentials
The documentation and examples reference APP_TOKEN and running against Feishu/Bitable, which would normally require credentials (env vars). However the skill declares no required env vars and the code does not read any credentials. This is inconsistent: a skill that integrates with Feishu/Bitable should request and use credentials. The absence suggests the docs overpromise or the implementation is incomplete. On the positive side, the code does not attempt to read unrelated environment variables or config paths.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not modify other skills or system-wide config. It writes a log to /tmp/rename_log.md and performs local filesystem renames (renameSync), which is expected given its purpose. No elevated persistence or cross-skill privileges are requested.
What to consider before installing
Key issues to consider before installing: (1) The documentation advertises Feishu and Bitable integration (message-id, APP_TOKEN) but the shipped code does not call any network APIs or read credentials — this likely means the skill either isn't finished or its docs are misleading. (2) The implementation performs local filesystem renames using paths you provide or that it derives from message text; running it will rename files on disk (it can rename arbitrary files if mappings point to them). Back up important data and test in a sandbox directory first. (3) If you expect automatic fetching from Feishu or a Bitable table, ask the author how credentials are supplied and why no env vars are required; do not supply real production tokens until the skill explicitly documents and uses them. (4) Prefer installing only after the author clarifies whether remote API integration is implemented and what credentials are needed; if you must use it now, review and run the code locally in a controlled environment.Like a lobster shell, security has layers — review code before you run it.
latestvk978ftm5m1f6ew3pfxb6nynzv984b408
License
MIT-0
Free to use, modify, and redistribute. No attribution required.