ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Todo Sync

v0.1.0

企业微信待办与飞书任务不同步

0· 50·0 current·0 all-time
byZixuan@neutronstar238
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say it will sync 企业微信 (WeCom) and 飞书 (Feishu) tasks, but the skill declares no API credentials, no endpoints, and no binaries — syncing these services would normally require OAuth/API keys and network calls, so the declared requirements are insufficient/incoherent for the stated purpose.
Instruction Scope
SKILL.md is a placeholder/todo list and contains no runtime instructions, file paths, or network endpoints. It does not instruct reading sensitive local files, but it is vague and incomplete, leaving broad implementation choices unspecified.
Install Mechanism
Instruction-only skill with no install spec and no code files — low immediate disk/write risk. Because there's no install, there is nothing to inspect on disk.
!
Credentials
The skill requests no environment variables or credentials, yet its stated purpose would legitimately require service credentials (Feishu/WeCom tokens, app IDs/secrets). This mismatch is an incoherence: either the skill is incomplete or it will later ask for broad secrets without disclosure.
Persistence & Privilege
always:false and user-invocable:true (normal). Allowed-tools include Read/Write/Edit/Bash which would permit file and command actions when invoked — expected for a connector but should be constrained in a real implementation.
What to consider before installing
This skill is a stub and not ready for use. Do not install or grant access expecting it to work. Ask the author for: (1) complete source code and a homepage/repo; (2) a clear list of required environment variables and minimal scopes (e.g., FEISHU_APP_ID/SECRET, WECHAT_CORP_ID/SECRET) and how tokens are stored; (3) exact network endpoints it will call and whether it uses OAuth; (4) an install/build spec and tests. Before using, review the implementation to ensure credentials are requested only for the needed scopes, stored securely (not plaintext), and that network calls go to official APIs over HTTPS. If you must test early, run it in an isolated environment with minimal test credentials and audit all outgoing requests and filesystem changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk978kke3s53mw516qag2ry402s84fh7s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments