Pywayne Lark Bot Listener
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lark-bot-listener Version: 0.1.0 The OpenClaw AgentSkills bundle for 'lark-bot-listener' is benign. The `SKILL.md` file describes a Feishu/Lark message listener, detailing its functionality for receiving and processing various message types (text, image, file, post) via WebSocket. It outlines the use of temporary files for image and file attachments, with explicit mention of automatic cleanup, which is a standard and necessary practice for such a skill. There are no indicators of malicious intent, such as data exfiltration, unauthorized execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent. The instructions are clear, aligned with the stated purpose, and do not suggest any harmful actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running this with real credentials is granting the listener the ability to receive messages available to the bot and act through that bot account.
The skill expects Lark application credentials, which are sensitive and allow bot-level access to the Feishu/Lark integration.
listener = LarkBotListener(
app_id="your_app_id",
app_secret="your_app_secret"Use a least-privilege Lark bot app, avoid hardcoding secrets, store credentials in a secret manager or environment variables, and rotate them if exposed.
A broad or buggy handler could post unintended replies or files into Lark chats, including group chats.
The instructions document handler behavior that can automatically send chat messages or upload/send returned files/images.
listener.send_message(chat_id, f"已收到:{text}") ... 返回 `Path`: 自动上传并发送新图片Limit handlers with group_only/user_only where appropriate, validate generated outputs and returned files, and test in restricted chats before production use.
Using an unverified or wrong package could expose Lark credentials and message data to code outside this reviewed artifact.
The skill depends on an external Python module, while the provided artifact set contains no code files or install specification for that dependency.
from pywayne.lark_bot_listener import LarkBotListener
Install pywayne only from a trusted source, pin the exact version, review its provenance, and verify it before providing real Lark credentials.