ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Identity Routing

v0.1.0

Build and use a Feishu/Lark cross-app identity master for multi-agent, multi-account routing. Use when mapping the same user across different Feishu app open...

0· 92·0 current·0 all-time
by@wxfkuq2023

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wxfkuq2023/feishu-identity-routing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Feishu Identity Routing" (wxfkuq2023/feishu-identity-routing) from ClawHub.
Skill page: https://clawhub.ai/wxfkuq2023/feishu-identity-routing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feishu-identity-routing

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-identity-routing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Feishu identity routing) aligns with the bundled scripts and reference docs: the code implements merging, batching, and pending-review flows for a canonical feishu-user-master.json. That functionality is expected for this purpose. However, the implementation assumes a specific local workspace (/home/admin/.openclaw/workspace) which is not declared in the skill metadata and may not match a user's environment.
!
Instruction Scope
SKILL.md tells you to create identity/feishu-user-master.* files, which fits the purpose. But the runtime scripts read/write a hardcoded absolute path (/home/admin/.openclaw/workspace) that is not documented in SKILL.md or declared in requirements. The batch/usage strings in the scripts expect binaries at workspace/bin/... while the repository provides scripts/..., creating an invocation/path mismatch. review_feishu_pending.js also hardcodes reviewer identity strings like 'main-agent' contrary to the SKILL.md advice not to hardcode agent names.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is low-risk from an installation perspective because nothing is downloaded or executed automatically. However, the shipped scripts will perform filesystem writes when run.
!
Credentials
The skill declares no required env vars, but the scripts require write/read access to a specific filesystem location (/home/admin/.openclaw/workspace). This implicit config path is effectively a required resource but is not declared. The scripts do not request API keys or external credentials, which is proportional, but implicit reliance on a particular home directory and the hardcoded 'main-agent' reviewer are surprising and should be justified or parameterized.
Persistence & Privilege
The skill does not request always:true and won't autonomously persist beyond running its scripts; however the scripts will modify a workspace master JSON (create/update pending_reviews, subjects, rejected_reviews). This write access is expected for an identity master tool but is a privileged operation on local data — ensure the workspace path is correct and that you trust the code before allowing writes.
What to consider before installing
This skill implements a plausible Feishu identity merge/routing tool, but review and adjust before installing: - The scripts operate on /home/admin/.openclaw/workspace (hardcoded). If your workspace is elsewhere, update the scripts or provide that path — otherwise they may fail or write unexpected files. - There are path mismatches: the batch script expects workspace/bin/merge_feishu_identity.js but the repo provides scripts/merge_feishu_identity.js. Fix file locations or invocation strings before running the batch tool. - review_feishu_pending.js inserts reviewer metadata ('main-agent' / 'main-agent' noted in approvals). That contradicts the SKILL.md guidance; if you need different agent names, change the hardcoded strings. - Because the scripts write and overwrite identity files, back up any existing identity files and restrict file permissions before use. - Audit the scripts locally (they perform only local JSON read/write and spawn local node processes) and, if you will run them in automated agents, ensure the agent runs under a dedicated user with appropriate filesystem permissions. If you cannot or do not want to modify the scripts, treat this skill as untrusted until the hardcoded paths, invocation mismatches, and agent strings are corrected.
scripts/merge_feishu_identity_batch.js:26
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

feishuvk973er43k95qksekr3t086wkvx83xtsmidentity-routingvk973er43k95qksekr3t086wkvx83xtsmlatestvk973er43k95qksekr3t086wkvx83xtsmmulti-accountvk973er43k95qksekr3t086wkvx83xtsmmulti-agentvk973er43k95qksekr3t086wkvx83xtsm
92downloads
0stars
1versions
Updated 4w ago
v0.1.0
MIT-0
@wxfkuq2023
feishuidentity-routinglatestmulti-accountmulti-agent
Download

Feishu Identity Routing

Use this skill when a workspace needs a reusable way to:

  • merge the same human across multiple Feishu apps/accounts
  • store app-local open_id under one canonical user subject
  • resolve the right open_id for a target accountId / app_context
  • route outbound actions correctly in multi-agent setups

What to create

Create these workspace files if missing:

  • identity/feishu-user-master.json — canonical data store
  • identity/feishu-user-master.md — human-readable summary

Core rules

  1. One person = one subject
  2. Merge by union_id first, then user_id
  3. Treat open_id as app-local only
  4. Before any outbound action:
    • resolve the user subject globally
    • resolve the target app/account-specific open_id
    • build the provider target from that local identity

For Feishu DM routing, use:

  • accountId=<target account>
  • target=user:<open_id>

Scripts

Use bundled scripts when you need deterministic updates:

  • scripts/merge_feishu_identity.js — merge one record
  • scripts/merge_feishu_identity_batch.js — merge many records
  • scripts/review_feishu_pending.js — approve/reject pending merges

When to read references

  • Read references/workflow.md when setting up or extending the process
  • Read references/schema-example.json when creating a new master file
  • Read references/pending-review-policy.md when conflicts appear
  • Read references/outbound-routing-patterns.md when implementing outbound delivery or cross-agent routing
  • Read references/examples.md when you want concrete merge/routing examples

Notes

  • Do not hardcode a specific agent like main or infoIntelOfficer into the design.
  • Model routing as: global subject resolution → app-context identity selection → provider-specific outbound target.
  • Keep the skill reusable across future agents and Feishu accounts.

Comments

Loading comments...