ClawHub

Pywayne Lark Custom Bot

v0.1.0

Feishu/Lark Custom Bot API wrapper for sending messages to Feishu channels via webhook. Use when users need to send text messages, images, rich text posts, i...

0· 610·0 current·0 all-time
by@wangyendt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (Feishu/Lark webhook wrapper) aligns with the instructions (sending text, images, posts, cards). However the SKILL.md assumes an importable Python package (pywayne.lark_custom_bot) and runtime behavior that require a library to be present; the skill bundle contains no code, no declared dependencies, and no install spec to provide that library or justify its permissions.
Instruction Scope
The instructions themselves stay on-topic (constructing and sending messages, uploading images, signature verification). They reference local files and OpenCV images for uploads and require bot app credentials for image upload — these are coherent with the feature set and do not instruct reading unrelated system files or exfiltrating data. The main issue is that the instructions assume a third-party Python module is available.
!
Install Mechanism
There is no install spec and no code files. SKILL.md examples import pywayne.lark_custom_bot, but the package source, distribution channel (PyPI, GitHub, etc.), and installation steps are missing. That gap makes it unclear how the code would be obtained or vetted — a material traceability and supply-chain concern.
Credentials
The skill declares no required env vars and no primary credential, which is consistent with examples that pass credentials into the LarkCustomBot constructor. However, image uploads require bot_app_id and bot_secret (sensitive credentials) according to the docs; the skill does not recommend how to provide or securely store these, nor does it declare them as required variables for the skill. Users should not provide long-lived secrets to an unknown package without provenance.
Persistence & Privilege
No persistent installation or elevated privileges are requested by the skill bundle (always:false). There is no indication the skill modifies other skills or system-wide settings. Autonomous invocation remains allowed (platform default) but is not combined here with other privilege escalation indicators.
What to consider before installing
This SKILL.md documents a Python library but the bundle contains no code or install instructions and the source/homepage are unknown — treat it as incomplete and untrusted. Before installing or using it: 1) ask the publisher for the package source (PyPI name or repository) and an install spec (pip, git URL, or wheel); 2) review the package source code or trust signals (repo, maintainer, releases) before running it; 3) if you must test, do so in an isolated environment/container and avoid reusing production credentials; 4) for image upload features, create a minimal-scope bot credential, rotate it after testing, and avoid giving global account keys; 5) if the publisher cannot provide source or an install artifact, consider the skill untrusted and do not provide secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a24r90k49kwebekd25nd4ks819c8a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments