ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Feishu Doc

v1.0.8

Use this skill whenever the user wants to create, generate, write to, or organize content into a Feishu document. Triggers include: any mention of 'Feishu do...

0· 218·3 current·3 all-time
by唐超@tc1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and runtime instructions all claim the skill will create and append to Feishu documents (using a platform tool named `feishu_doc`); that purpose is consistent with the included materials. However, the packaged Python script simulates API behavior (prints and local IDs) rather than calling `feishu_doc` or the Feishu API directly, which is an implementation mismatch with SKILL.md claims.
Instruction Scope
SKILL.md describes a bounded workflow (create, wait, split, append, retry, verify) and does not instruct reading unrelated system files or exfiltrating data. Troubleshooting sections mention API tokens and permission checks, but the runtime instructions themselves are scoped to Feishu operations only.
Install Mechanism
This is an instruction-only skill with no install spec; no packages or remote downloads are performed. A single Python script is included but it performs local simulation and printing rather than fetching or executing remote code.
!
Credentials
Manifest declares no required environment variables or credentials, yet the documentation and SKILL.md discuss API tokens, permissions, and checking tokens/permissions in troubleshooting. That mismatch (no declared primary credential while the integration clearly depends on Feishu auth in practice) is concerning: it is unclear whether authentication is intended to be handled transparently by a platform tool (`feishu_doc`) or if the skill requires user-provided credentials that are not declared.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system configs. Default autonomous invocation is allowed (normal), and there is no evidence the skill persistently elevates privileges.
What to consider before installing
This skill's behavior is largely consistent with its stated purpose, but there are a few mismatches you should consider before installing: - Authentication ambiguity: The package declares no required credentials, but the docs talk about API tokens and permissions. Confirm how Feishu auth is provided (platform-managed `feishu_doc` tool vs. environment variables you must supply). Do not provide secrets until you understand the auth flow. - Implementation mismatch: The included Python script simulates API calls (prints and generates fake IDs) instead of invoking the `feishu_doc` tool described in SKILL.md. Ask the author whether the script is a demo stub or the actual runtime will call the platform tool. - Test cautiously: If you proceed, test the skill with a non-sensitive/test Feishu account to ensure it behaves as expected and does not attempt unexpected network calls or request undeclared credentials. - If you need higher assurance: request explicit documentation from the maintainer showing how authentication is handled, and a version of the script that calls the platform `feishu_doc` API (or confirm the platform supplies that tool and credentials).

Like a lobster shell, security has layers — review code before you run it.

latestvk978hhwq1tp3m1pyhkqgdw1wgx83jryp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments