Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-smart-doc-writer
v1.4.1Feishu/Lark Smart Document Writer - 飞书智能文档写入器. Core Features / 核心功能: 1. Smart Chunk Writing / 智能分块写入 - Solve API limit blank doc issues / 解决长文档API限制导致的空白问题 2...
⭐ 0· 743·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, README, SKILL.md and code all align: it creates Feishu docs, auto-chunks content, transfers ownership and maintains a local index. Obtaining a tenant_access_token and reading a user's OpenClaw config can be justified for performing ownership transfers.
Instruction Scope
SKILL.md promises automatic tenant_access_token retrieval and OpenID guidance, but the runtime code accesses local configuration files (e.g. ~/.openclaw/openclaw.json) and environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET) to get app credentials. These file/variable accesses are not declared in the metadata and are higher-privilege operations than the SKILL.md explicitly documents.
Install Mechanism
No external install/downloads or third-party installers are declared. The package is instruction + bundled Python code included in the skill archive (no remote code fetch observed).
Credentials
The code attempts to read FEISHU_APP_ID / FEISHU_APP_SECRET environment variables and (per changelog and code path) local OpenClaw config files (e.g. ~/.openclaw/openclaw.json) to obtain tenant_access_token. These are sensitive credentials. While they are relevant for the ownership-transfer feature, the skill does not declare these required envs or config paths in its metadata.
Persistence & Privilege
The skill persists user configuration and an index to the user's home workspace (user_config.json at ~/.openclaw/workspace/skills/... and memory/feishu-docs-index.md in workspace). It does not request always:true and does not modify other skills. Persisting these files is expected for its documented index/config features but grants the skill ongoing local storage.
What to consider before installing
This skill is consistent with its stated purpose but asks for (or implicitly reads) sensitive data: it will try to obtain Feishu app credentials via FEISHU_APP_ID/FEISHU_APP_SECRET env vars or by reading your OpenClaw configuration (~/.openclaw/openclaw.json) to request a tenant_access_token for ownership transfers. Before installing: 1) Inspect the code (feishu_smart_doc_writer.py) yourself or run it in a sandbox; 2) If you trust it, prefer providing a dedicated Feishu app with limited permissions rather than using production credentials; 3) Be aware the skill will write config and an index to ~/.openclaw/workspace (user_config.json and memory/feishu-docs-index.md); 4) Granting docs:permission.member:transfer and publishing the app (as the guide instructs) gives the app the ability to transfer document ownership — only enable that permission for apps you fully trust. If you cannot review the code or do not want it to access your OpenClaw config/credentials, do not install or require the developer to explicitly declare required envs/config paths and provide safer alternatives (e.g., provide a scoped token just for this skill).Like a lobster shell, security has layers — review code before you run it.
chunkvk97b0tr54jf98bwg8qnf1ykjk981da37documentvk97b0tr54jf98bwg8qnf1ykjk981da37feishuvk97b0tr54jf98bwg8qnf1ykjk981da37larkvk97b0tr54jf98bwg8qnf1ykjk981da37latestvk971z1d701ekc40g1dgteqf8ah81qzeewritervk97b0tr54jf98bwg8qnf1ykjk981da37
License
MIT-0
Free to use, modify, and redistribute. No attribution required.