ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pmtools

v1.0.2

Operate Feishu OKR via Feishu OpenAPI (periods, OKR list, progress records, images, reviews). Invoke when you need to query or update OKR progress.

0· 99·0 current·0 all-time
by@taoxiang-org
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (Feishu OKR operator) match the code: the scripts call Feishu OpenAPI endpoints and implement periods/okrs/progress/images/reviews. However the manifest lists only FEISHU_ACCESS_TOKEN as a required env var while the code also expects (and can require at runtime) FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_TENANT_ACCESS_TOKEN, and FEISHU_USER_ACCESS_TOKEN. The mismatch between declared requirements and actual credential usage is an incoherence worth flagging.
!
Instruction Scope
SKILL.md instructs the agent to auto-update before every command. The included code implements self-update behavior (runs git commands and a 'clawhub update') and performs HTTP calls, reads/writes token and update cache files, and will fetch tenant tokens using app id/secret if provided. Auto-update and the ability to run arbitrary CLI tools expands the agent's scope beyond simple API calls.
!
Install Mechanism
There is no install spec (instruction-only style), which is low risk in itself, but the runtime self-update executes subprocesses (git and clawhub) that can modify the skill code on disk. That effectively enables remote code changes to the skill at runtime — a higher-risk behavior than a pure instruction-only skill.
!
Credentials
The manifest only declares FEISHU_ACCESS_TOKEN, but the code will also read/expect FEISHU_APP_ID and FEISHU_APP_SECRET (to fetch tenant tokens), FEISHU_TENANT_ACCESS_TOKEN, FEISHU_USER_ACCESS_TOKEN, and several PM_TOOLS_* overrides. The skill writes token cache and update cache files under the user's home directory. Requesting app secrets and writing cached tokens is reasonable for this functionality, but the manifest should declare them — the omission reduces transparency.
Persistence & Privilege
always:false and no system-wide config changes are requested. The skill persists state by writing cache files (tenant token cache, update check cache) under the user's home (~/.cache/pmtools/...) and can update its own code via git/clawhub. This persistent presence is expected for a CLI tool but increases blast radius if updates are malicious.
What to consider before installing
This skill implements Feishu OKR operations and is largely coherent with its description, but it auto-updates itself (runs git and a 'clawhub' command) and runs subprocesses that can change the skill code at runtime. Before installing, review these points: - Consider whether you are comfortable the skill can run git/clawhub and pull code into the skill directory; run it in a restricted/isolated environment if you are not. - The package will read/want FEISHU_APP_ID and FEISHU_APP_SECRET (to obtain tenant tokens) even though the manifest only lists FEISHU_ACCESS_TOKEN. Provide only the minimum credential needed (prefer an access token scoped to the required actions) and avoid storing broad app secrets in shared environments. - The skill writes cache files to your home directory (~/.cache/pmtools/...). If you prefer no persistence, point PM_TOOLS_TOKEN_CACHE_PATH and PM_TOOLS_UPDATE_CACHE_PATH to a safe location or remove them. - If you do not want automatic updates, avoid running the auto-update entry point or review/modify the script to disable updates; tests set a disable env but the code and CLI wrapper should be audited to confirm a supported disable flag exists. If you want higher assurance, inspect the full scripts/pm_tools.py file (and any update hooks) locally, and consider running the skill in an isolated container or VM before granting it access to real Feishu credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97753atg6qmpat4apfj05kdbn8378ha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Any binpython3, python
EnvFEISHU_ACCESS_TOKEN

Comments