ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

colleague-skill

v1.0.0

Distill a colleague into an AI Skill. Auto-collect Feishu/DingTalk data, generate Work Skill + Persona, with continuous evolution. | 把同事蒸馏成 AI Skill,自动采集飞书/钉...

1· 243·2 current·2 all-time
by@titanwings
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's purpose — distilling a colleague into a Persona+Work Skill by ingesting Feishu/DingTalk/Slack/messages/docs — aligns with the included tools (Feishu/DingTalk/Slack collectors, parsers, skill writer). However the registry metadata claims no required env vars/binaries/install while the runtime scripts clearly expect API credentials, OAuth flows, and optional binaries (playwright). That mismatch is unexpected.
!
Instruction Scope
SKILL.md instructs the agent/operator to run Python collectors that (a) use tenant/app and user OAuth tokens to read group and private chats, (b) may send messages to obtain chat IDs, (c) drive a browser login flow (playwright) to scrape documents, and (d) read uploaded files and write generated Skills to disk. These steps legitimately belong to the stated purpose but expand scope into private chat collection and active API interactions with other users — actions that have privacy, consent, and operational implications and are not reflected in the skill's declared requirements.
Install Mechanism
No external download URLs or opaque installers are used; the repo includes Python scripts and a requirements.txt referencing PyPI packages (requests, pypinyin, playwright, slack-sdk). No extract-from-random-URL installs were detected. That is reasonable for a repo-based skill, but optional heavyweight deps (playwright) are present and documented.
!
Credentials
The registry lists no required environment variables or primary credential, but the tools and SKILL.md explicitly require service credentials (Feishu app_id/app_secret, user_access_token/OAuth code, DingTalk AppKey/Secret, Slack bot token) and will persist configs under ~/.colleague-skill and write generated skills to ./colleagues. The absence of declared required credentials in metadata is an incoherence and hides the real credential needs and storage locations.
!
Persistence & Privilege
The skill writes config/tokens to the user's home (~/.colleague-skill) and creates generated Skill directories (./colleagues or configurable global path). It also can run browser-based login flows and may persist browser sessions (playwright). 'always' is false, but the skill will create persistent artifacts and stored tokens on first run — this side effect is not surfaced in the registry metadata and should be expected by anyone installing it.
Scan Findings in Context
[pre_scan_no_injection] expected: Static pre-scan reported no injection signals. That doesn't change the fact that the code executes network calls to vendor APIs (Feishu/Slack/DingTalk) and persists tokens/config locally, which is expected for this purpose.
What to consider before installing
This skill is coherent with its stated goal (automatically collecting workplace messages/docs and building a Persona + Work Skill), but there are important mismatches and privacy implications you should consider before installing: - Metadata vs reality: The registry claims 'no required env vars' and 'instruction-only', but the package contains scripts that require app_id/app_secret, OAuth/user tokens, and will save config to ~/.colleague-skill and write generated skills to disk. Treat those as required side effects. - Credentials & least privilege: If you try it, create dedicated, limited-scope app credentials (not your org admin keys). For Feishu/DingTalk/Slack, grant only the minimal scopes needed and prefer short-lived tokens. Do not reuse high-privilege or organization-wide secrets. - Privacy & consent: The tool harvests private chats and documents (it even instructs sending messages to obtain chat IDs). Only collect data you are authorized to access and ensure affected people consent where required by policy or law. - Storage & cleanup: The tool persists tokens and session data in ~/.colleague-skill and writes generated Skills to ./colleagues (or configured base dir). Inspect and delete these files if you stop using the skill; consider running in an isolated environment or disposable VM/container. - Code review: Because the skill executes network requests and can run Playwright/browser scraping, review the included Python scripts (tools/*.py) yourself or run them in a sandbox. There were no static malware signals, but the scripts perform sensitive operations by design. - Safer alternatives: If you only want to generate a persona from manual description or uploaded documents, avoid supplying OAuth tokens or enabling automatic collectors; use manual upload/paste mode instead. If you want help with specific mitigations (e.g., checklist to create limited-scope Feishu app, or commands to sandbox the skill), tell me which platform you plan to run it on and I can provide step-by-step guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk977dg2t40spa3xr8379epr0g98442tj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments