Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pywayne Lark Bot
v0.1.0Feishu/Lark Bot API wrapper for full-featured Feishu bot interactions. Use when users need to send messages (text, image, audio, file, post, interactive, sha...
⭐ 0· 681·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a full-featured Feishu/Lark bot wrapper (pywayne.lark_bot) and shows examples that require a Python package and Feishu credentials, but the skill bundle contains no code, no package, and no install spec. It's unclear whether the runtime environment will actually have the referenced 'pywayne' package or who provides it. A legitimate wrapper skill would normally include the code or a clear, trustworthy install mechanism.
Instruction Scope
The SKILL.md contains concrete runtime examples that require providing app_id/app_secret, uploading/downloading local files, and running a message listener (which implies opening network endpoints). The instructions themselves don't tell the agent to search system files or environment beyond explicit examples, but they assume access to local file paths and long-lived credentials. The listener examples (truncated) suggest actions with network exposure but lack guidance about binding addresses, webhook URLs, or security.
Install Mechanism
There is no install specification and no code files; however the instructions import 'pywayne.lark_bot' and related modules. Without an install step or included code, the instructions cannot be executed in a clean environment unless the package is preinstalled by other means. This mismatch is an incoherence risk (either the package is expected to exist on the host or the SKILL.md is incomplete).
Credentials
The SKILL.md examples require app_id and app_secret (clear credentials for Feishu) and perform file uploads/downloads, but the skill metadata declares no required environment variables, no primary credential, and no config paths. That omission is a mismatch: the skill needs credentials to work but doesn't request or describe how they should be provided, which could lead users to supply secrets in an ad-hoc, unsafe way.
Persistence & Privilege
The skill is not marked 'always:true' and is user-invocable; there is no install action, no writes to other skills' config, and no elevated privilege requests in the metadata. Persistence and privileged presence are not requested by the skill package itself.
What to consider before installing
This package is an instruction-only description of a Python Feishu/Lark wrapper but includes no code or install instructions and fails to declare the Feishu credentials it demonstrably uses. Before installing or using it: 1) Ask the publisher for the actual package source (PyPI name or a trustworthy GitHub repo) and verify the code matches the documentation. 2) If you must install, prefer an official release (PyPI or GitHub release) and review the source for unexpected network, filesystem, or credential-handling behavior. 3) Do not paste app_id/app_secret into unknown UIs; supply credentials only to vetted code and follow least-privilege practices. 4) Be cautious about enabling any listener/webhook the code asks you to run—understand what network ports are opened and whether it exposes secrets or message payloads to third parties. If the author cannot provide a clear, verifiable package/source and install steps, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97d6pv3yh81nbzqw16jxhmgb1819tp1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.