ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subscribe Filter Feishu

v1.0.3

订阅-过滤-飞书推送。通过WebSocket订阅数据流,大模型智能过滤,自动推送到飞书。

0· 190·0 current·0 all-time
bybigbangbang@sougannkyou

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sougannkyou/subscribe-filter-feishu.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Subscribe Filter Feishu" (sougannkyou/subscribe-filter-feishu) from ClawHub.
Skill page: https://clawhub.ai/sougannkyou/subscribe-filter-feishu
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install subscribe-filter-feishu

ClawHub CLI

Package manager switcher

npx clawhub@latest install subscribe-filter-feishu
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (scripts/receiver.js) implements subscribing to a WebSocket, calling an LLM endpoint, and pushing messages to Feishu — which matches the skill name/description. The declared dependencies (ws, axios) are appropriate. However the SKILL.md advertises management CLI commands (subscribe-filter-feishu start/stop/config/etc.) and a script path (scripts/subscribe-filter-feishu) that are not present; that is an inconsistency between claimed UX and included files.
!
Instruction Scope
SKILL.md instructs creating a config at ~/.openclaw/subscribe-filter-feishu.json and running commands like 'subscribe-filter-feishu start'/'config' but the repository contains only scripts/receiver.js (no CLI wrapper, no bin entry, no argument handling). The runtime code itself only reads the stated config file and accesses only expected paths (~/.openclaw for config and ~/clawd/data/subscribe-filter-feishu for logs/stats/PID). There is no code that reads other system files or environment variables. The main concern is the SKILL.md / packaging mismatch which could lead users to run unadvertised commands or assume a packaged/service wrapper exists when it does not.
Install Mechanism
No install spec is declared (instruction-only), but package.json and package-lock are provided and SKILL.md tells users to run 'npm install'. Dependencies come from npm (npmmirror registry referenced in lockfile). This is standard for Node skills, but running npm install will write dependencies to disk — verify the registry and package versions if supply-chain risk is a concern.
Credentials
The skill does not request environment variables. Required secrets (Feishu app_id/app_secret, Feishu user open_id, model_api_key, ws_url) are declared in the config file and are directly useful for the stated functionality. The skill does store these credentials in a config file in ~/.openclaw as described — this is coherent but means secrets will live on disk in user home.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills. It persists its own PID, logs, and stats under ~/clawd/data/subscribe-filter-feishu, which is within the user's home directory and consistent with its purpose. It will run network calls to the configured WebSocket, the specified model endpoint, and Feishu's official API endpoints.
What to consider before installing
This package appears to implement the stated WebSocket → LLM → Feishu flow and only requires the Feishu and model credentials that it needs to function — but there are important inconsistencies to check before installing: - SKILL.md references a CLI wrapper (subscribe-filter-feishu start/stop/config) and a script path (scripts/subscribe-filter-feishu) that are not included. The actual runnable file is scripts/receiver.js — you will need to run it directly (e.g., node scripts/receiver.js or npm start) or create your own wrapper/service. - Inspect scripts/receiver.js yourself (it is provided) to confirm you are comfortable with it sending data to the configured model_base_url and Feishu endpoints. The script will persist secrets in ~/.openclaw/subscribe-filter-feishu.json and write logs/stats/PID under ~/clawd/data/subscribe-filter-feishu. - Verify the model_base_url and model_name you configure (default points at an Ark endpoint). Only provide API keys and app secrets you trust to this code and the endpoints you control/trust. - When running npm install, note dependencies will be fetched (lockfile points to a mirror). If you have supply-chain concerns, audit package versions or install in an isolated environment. If you plan to use this skill: (1) fix or add a proper CLI/service wrapper if you need start/stop/status semantics; (2) consider file permissions on the config file to protect secrets; (3) run the code in an environment you control and review network endpoints. The inconsistencies in SKILL.md and packaging are likely oversight but should be resolved before production use.
!
scripts/receiver.js:53
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a7pg82njafgyhy73rdpr4v58396s0
190downloads
0stars
4versions
Updated 1h ago
v1.0.3
MIT-0
bigbangbang@sougannkyou
latest
Download

Subscribe-Filter-Feishu v1.0.2

订阅数据流 → 大模型智能过滤 → 飞书推送。

功能

  • 🔌 WebSocket 实时订阅数据流
  • 🤖 大模型智能过滤
  • 📱 飞书消息推送
  • 📊 统计持久化
  • 🔄 指数退避重连
  • 🛑 优雅关闭

安装

cd skills/subscribe-filter-feishu
npm install
chmod +x scripts/subscribe-filter-feishu

配置(必须)

首次使用前,创建配置文件 ~/.openclaw/subscribe-filter-feishu.json

{
  "ws_url": "ws://your-server:port/ws",
  "feishu_app_id": "your_feishu_app_id",
  "feishu_app_secret": "your_feishu_app_secret",
  "feishu_user_id": "your_feishu_open_id",
  "model_api_key": "your_ark_api_key",
  "model_base_url": "https://ark.cn-beijing.volces.com/api/v3",
  "model_name": "your_endpoint_id"
}

或运行 subscribe-filter-feishu config 创建模板。

配置项说明

配置项必填说明
ws_urlWebSocket 数据源地址
feishu_app_id飞书应用 App ID
feishu_app_secret飞书应用 App Secret
feishu_user_id接收消息的飞书用户 open_id
model_api_key火山引擎 ARK API Key
model_base_url大模型 API 地址(默认豆包2.0)
model_name火山引擎 Endpoint ID

使用

# 启动服务
subscribe-filter-feishu start

# 查看状态
subscribe-filter-feishu status

# 查看日志
subscribe-filter-feishu logs

# 停止服务
subscribe-filter-feishu stop

# 重启
subscribe-filter-feishu restart

# 查看/创建配置
subscribe-filter-feishu config

过滤规则(示例:AI新闻)

默认过滤规则只推送明确涉及 AI 核心技术的新闻:

  • 机器学习/深度学习/神经网络
  • 大语言模型(LLM)、NLP、计算机视觉
  • AI 生成内容(AIGC)
  • Transformer、GPT、BERT 等

不推送:

  • 机器人/无人机/自动化机械
  • 合成生物学/基因编辑
  • 电池/储能/新能源
  • 材料科学

可在 receiver.js 中修改 isAIRelated() 的 prompt 自定义过滤规则。

数据目录

~/clawd/data/subscribe-filter-feishu/
├── receiver.pid    # PID 文件
├── receiver.log    # 运行日志
└── stats.json      # 统计数据

版本历史

v1.0.2

  • 异常兜底(uncaughtException / unhandledRejection 不退出进程)

v1.0.0

  • 配置文件管理(敏感信息不硬编码)
  • PID 管理(防止重复启动)
  • 管理脚本(start/stop/status)
  • 指数退避重连
  • 统计持久化
  • 飞书 token 自动刷新
  • 豆包2.0 大模型

License

MIT

Comments

Loading comments...