Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Doc Batch Export
v1.0.0批量导出飞书文档(docx)到本地Markdown格式,支持保留文档格式、图片、链接,支持指定文件夹/文档链接批量导出。触发场景:当用户需要导出飞书文档、批量下载飞书文档、飞书文档转Markdown时使用。
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (Feishu doc batch export) is consistent with the included code: scripts/export.py calls the Feishu API to fetch documents and images and convert HTML to Markdown. However the package metadata/registry claims no required environment variables while both SKILL.md and the code require FEISHU_APP_ID and FEISHU_APP_SECRET. Also the README/description advertises folder/batch export and recursive export but the script explicitly prints that folder export is 'under development' — advertised capabilities do not match the implementation.
Instruction Scope
SKILL.md instructs the agent/user to set FEISHU_APP_ID and FEISHU_APP_SECRET and to run python scripts/export.py. The runtime instructions do not ask for unrelated files or secrets beyond the Feishu app creds, and network calls are limited to Feishu endpoints and image URLs. However SKILL.md shows CLI flags (--recursive, folder export) that the implemented main() does not support; that's scope creep/false promise in the instructions.
Install Mechanism
No install spec is provided (instruction-only + included code). Dependencies are minimal and listed in requirements.txt (requests, markdownify). Nothing is downloaded from arbitrary URLs or installed silently — lowest-risk install mechanism, but code will perform network I/O at runtime.
Credentials
The code legitimately requires FEISHU_APP_ID and FEISHU_APP_SECRET to call the Feishu API (proportionate for the claimed functionality). The problem is the registry metadata lists no required environment variables or primary credential, which is inconsistent and risks surprising users into supplying credentials without clear disclosure in the registry entry.
Persistence & Privilege
The skill does not request elevated privileges or permanent/always-on presence. always:false and default autonomous invocation are normal. The skill does not modify other skills or system-wide agent settings.
What to consider before installing
This skill contains code that calls Feishu APIs and requires FEISHU_APP_ID and FEISHU_APP_SECRET (the registry metadata failing to declare these is a red flag). Before installing or running: (1) do not supply production admin credentials — create a dedicated Feishu app with only docx:readonly and drive:readonly and limited scope for testing; (2) verify the code yourself (scripts/export.py is short) or run it in an isolated environment/container; (3) note that folder/recursive export is advertised but not implemented — expect single-document export only; (4) if you will provide app secrets, prefer rotating secrets and revoke the test app after use; (5) ask the publisher to correct registry metadata and SKILL.md to accurately reflect current functionality, and only proceed if you trust the code or have audited it.Like a lobster shell, security has layers — review code before you run it.
exportvk970xd59d6mc65a8s9wma4ep0s8432ksfeishuvk970xd59d6mc65a8s9wma4ep0s8432kslatestvk970xd59d6mc65a8s9wma4ep0s8432ksmarkdownvk970xd59d6mc65a8s9wma4ep0s8432ksproductivityvk970xd59d6mc65a8s9wma4ep0s8432kstoolsvk970xd59d6mc65a8s9wma4ep0s8432ks
License
MIT-0
Free to use, modify, and redistribute. No attribution required.