Skillv1.0.0

ClawScan security

Feishu Group Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 3:23 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (pull Feishu messages, store local records, and ask the model to analyze them) but the package and runtime instructions are inconsistent about required credentials and it contains a hard-coded third‑party API key — these mismatches warrant caution before installing.
Guidance: Before installing, consider the following: 1) The skill needs Feishu credentials (FEISHU_APP_ID and FEISHU_APP_SECRET) or a configured ~/.openclaw/openclaw.json, but the package metadata does not declare that — verify where you will supply credentials. 2) billing.py contains a hard-coded SKILLPAY_API_KEY in the repository; ask the author to remove embedded keys and use a configuration or delegate billing to a secure service. 3) The skill will read ~/.openclaw/openclaw.json and write records and context files under ~/.openclaw/workspace — review those files to ensure no unrelated secrets are exposed. 4) Confirm billing behavior and SkillPay endpoints before providing user IDs or running charge operations. 5) If you trust the author and want to proceed, request an updated release that: declares required env vars/config paths, removes hard-coded secrets, and documents exactly what files are read/written. If you cannot obtain those fixes, treat this package cautiously or run it in an isolated environment after rotating any affected credentials.
Findings: [hardcoded-api-key-in-billing.py] unexpected: billing.py contains a plaintext SKILLPAY_API_KEY value embedded in source. A billing/integration module should not ship with customer API keys in code; this is a secret-management issue and could indicate misuse or a leaked credential.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement a Feishu message fetch → local record store → model analysis flow, which matches the skill's stated purpose. However, the skill metadata declares no required environment variables or config paths while the scripts explicitly require Feishu credentials (FEISHU_APP_ID / FEISHU_APP_SECRET) or a user config at ~/.openclaw/openclaw.json. That metadata omission is inconsistent and should be corrected.
Instruction Scope: concernRuntime instructions (and the code) tell the agent to read Feishu messages and save structured records to ~/.openclaw/workspace. listener.py will also read ~/.openclaw/openclaw.json if env vars are absent. Reading a user config file is broader than the metadata indicates and may expose other config data; the SKILL.md does not disclose this file access. The model is entrusted to perform all AI analysis (the scripts avoid LLM calls), but the flow gives the skill ability to fetch and persist user chat content — the user should be aware of what is stored locally and where.
Install Mechanism: okThere is no install script or remote download. The skill is instruction/code-only and does not fetch third-party code at install time, so install-time download risk is low.
Credentials: concernThe package does not declare required env vars but the code expects FEISHU_APP_ID and FEISHU_APP_SECRET (or credentials inside ~/.openclaw/openclaw.json). More importantly, billing.py contains a hard-coded SKILLPAY_API_KEY constant (a plaintext API key). Including an embedded third‑party API key in distributed code is inappropriate: it may indicate credential leakage, impersonation risk, or improper key management. The presence of that key is not justified by the manifest and should be remediated.
Persistence & Privilege: noteThe skill writes configuration and records under ~/.openclaw/workspace and ~/.openclaw/... which is expected for a local chat-memory tool. always:false (normal) and it does not request system-wide privilege escalation. Still, it will store potentially sensitive chat data locally and read the user's openclaw.json config file, so users should confirm they are comfortable with that persistence and review the exact storage paths/contents.