ClawHub

Pywayne Lark Bot Listener

v0.1.0

Feishu/Lark message listener for real-time message processing via WebSocket. Use when users need to listen for incoming Feishu messages (text, image, file, p...

0· 629·1 current·1 all-time
by@wangyendt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to listen to Feishu/Lark messages and the docs show code that accepts app_id/app_secret and imports pywayne.lark_bot_listener. However the registry metadata declares no required credentials, no primaryEnv, and no install steps. A Feishu listener legitimately needs Feishu credentials and an installable Python package; those are missing from the declared requirements, which is incoherent.
Instruction Scope
SKILL.md contains concrete runtime instructions: import a Python package, construct LarkBotListener with app_id/app_secret, download attachments to a system temp directory (system_temp/lark_bot_temp), run an async listener, and automatically upload/send processed files. These actions are within the stated purpose, but the document gives no guidance for how credentials should be supplied or how the referenced package is installed. The file download/auto-reply behavior is expected for a message listener but raises privacy considerations (automatic download and re-send of attachments).
!
Install Mechanism
There is no install spec or code shipped with the skill, yet SKILL.md imports pywayne.lark_bot_listener — implying a third-party Python package is required. The registry provides no guidance on how to obtain or verify that package (no pip/install command, no homepage, no repository). That mismatch increases risk because users may be directed to install an unknown package manually.
!
Credentials
The documentation expects app_id and app_secret (sensitive credentials) to be supplied to LarkBotListener, but the skill declares no required environment variables or primary credential. Required secrets are therefore undocumented, which is a red flag: it's unclear how the skill expects credentials to be provided, stored, or protected. Automatic file downloads and auto-replies also mean those credentials would permit network access to your Feishu tenant and message sending.
Persistence & Privilege
The skill is not configured as always: true and does not request persistent system-wide privileges. It is instruction-only and does not declare actions that modify other skills or global agent settings. Note: agent autonomous invocation (disable-model-invocation=false) is the default and not by itself a problem.
What to consider before installing
Do not install or run this skill as-is. Ask the publisher for: (1) the package source/repository (e.g., GitHub or PyPI) and instructions to install a specific, signed release; (2) exact guidance for supplying Feishu credentials (environment variables or secret manager) and how tokens are stored/rotated. Before using, review the package code (or ask for a vetted upstream link), verify the package is from a trusted author, and run it in an isolated environment. Be especially cautious because the skill auto-downloads attachments and can automatically resend processed files — ensure that behavior is acceptable for your data privacy policies. If you cannot obtain a verifiable package/source and clear credential handling, consider using an alternative with published code or official SDKs.

Like a lobster shell, security has layers — review code before you run it.

latestvk978n2bw6hseatd68xw7te70m9818tym

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments