ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-quick-setup

v1.0.2

One-click Feishu bot creation. Uses the Feishu App Registration API (Device Flow) to create a new Feishu Bot and save credentials to the OpenClaw config file...

0· 113·0 current·0 all-time
by@hashstacs-hk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hashstacs-hk/feishu-quick-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "feishu-quick-setup" (hashstacs-hk/feishu-quick-setup) from ClawHub.
Skill page: https://clawhub.ai/hashstacs-hk/feishu-quick-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feishu-quick-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-quick-setup
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name, description, SKILL.md, and included JS/MJS scripts all align: they start a device-flow registration with Feishu/Lark, poll for completion, and save appId/appSecret to the OpenClaw config. Minor incoherence: SKILL.md and scripts require running 'node' but the registry metadata declares no required binaries. The missing 'node' declaration is an oversight but not evidence of malicious intent.
Instruction Scope
SKILL.md explicitly instructs the agent to run the provided node scripts step-by-step and to display the verificationUrl exactly as returned. The instructions do not ask the agent to read unrelated files or exfiltrate arbitrary data. The scripts do read/write only the OpenClaw config and a local .pending.json file (documented in code), which is consistent with the skill's purpose.
Install Mechanism
There is no external install spec or remote download; all code is bundled with the skill (JS/MJS). That keeps install risk low. The scripts will be executed locally; no archives or external binaries are fetched by the skill itself.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. It does write sensitive secrets (appSecret) into the user's OpenClaw config (~/.openclaw/openclaw.json) in cleartext — this is expected for its function but is a sensitive action users should be aware of. The code also writes a .pending.json file next to the scripts to persist device_code state.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system-wide privileges. It modifies only the OpenClaw config (its intended target) and creates a local pending file; it does not alter other skills or global agent settings.
Assessment
This skill appears to do what it claims: run local node scripts that talk to Feishu/Lark and store the created appId/appSecret in ~/.openclaw/openclaw.json. Before installing or running it: 1) Ensure you have a recent Node runtime available (SKILL.md uses 'node' but the registry metadata didn't list it). 2) Inspect the bundled scripts (they are included) and confirm you trust them; they only call accounts.feishu.cn / accounts.larksuite.com and write to your OpenClaw config and a .pending.json file. 3) Back up your existing ~/.openclaw/openclaw.json (the script makes a .bak for existing files but you may want your own backup). 4) Remember appSecret is stored in cleartext in openclaw.json; consider filesystem permissions and whether that's acceptable. 5) If you plan to let an autonomous agent invoke this skill, be aware it will execute the bundled node scripts with whatever filesystem/network permissions the agent process has. If any of these items concern you, run the scripts manually instead of allowing the agent to run them autonomously.
!
quick-setup.js:93
File read combined with network send (possible exfiltration).
!
quick-setup.mjs:95
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk972n1segjpbt930emhf6n301584a516
113downloads
0stars
3versions
Updated 3w ago
v1.0.2
MIT-0
@hashstacs-hk
latest
Download

feishu-quick-setup

Module compatibility: Scripts are provided in both .js and .mjs. Prefer .mjs; if you get a module error, fall back to .js.

Create a Feishu Bot for the user by executing the commands below step by step. All script output is single-line JSON.

Runtime

  • Command: node
  • Resolve script paths relative to this SKILL.md directory to absolute paths before execution.

Steps

Step 1 — Check existing config

node "{script_dir}/quick-setup.mjs" --status
FieldAction
configured: trueTell the user Feishu is already configured (show appId), ask if they want to reconfigure
configured: falseProceed to Step 2

Step 2 — Start registration

node "{script_dir}/quick-setup.mjs" --begin --domain "feishu"
  • --domain: feishu (mainland China, default) or lark (international)
  • On error: false — you get verificationUrl and deviceCode. Proceed to Step 3.
  • On error: true — show the error message to the user and stop.

Step 3 — Show the link

Display the verificationUrl from Step 2 to the user as-is:

请点击以下链接完成飞书授权: {verificationUrl}

点击后在飞书中点击"确认创建"即可。

The correct link format is https://open.feishu.cn/page/openclaw?user_code=.... Do not modify or reconstruct the URL. This flow uses a link, not a QR code.

After showing the link, proceed directly to Step 4 (no need to wait for user reply).

Step 4 — Poll for completion

node "{script_dir}/quick-setup.mjs" --poll --wait --timeout 300

The script polls internally every 5 seconds until the user completes authorization or the timeout (default 5 min) is reached.

ResultAction
status: "completed"Take appId and appSecret from the response, proceed to Step 5
status: "error", expired_tokenLink expired — restart from Step 2
status: "error", access_deniedUser denied the request — inform the user
status: "timeout"Timed out — suggest the user retry

Step 5 — Save config

node "{script_dir}/quick-setup.mjs" --save --app-id "APP_ID" --app-secret "APP_SECRET" --domain "feishu"

Replace APP_ID and APP_SECRET with the values from Step 4.

ResultAction
success: trueShow the message field from the response to the user (it contains next-step instructions and a permissions link)
success: falseShow the failure reason to the user

Notes

  • Always use the commands above; do not call Feishu APIs directly or construct URLs manually.
  • This skill creates a new app. For user-level OAuth on an existing app, use feishu-auth instead.
  • Execute each step — do not skip steps or only describe them.
  • Always show the verificationUrl exactly as returned by the script.

Comments

Loading comments...