Skillv1.0.0

ClawScan security

Feishu Channel Integration for Nanoclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 3:59 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested credentials line up with its stated purpose (adding a Feishu/Lark channel); nothing obvious or disproportionate to the described function was found.
Guidance: This skill appears to do exactly what it says: add a Feishu channel using the official Lark SDK. Before installing: (1) review the included source files to confirm no unexpected network endpoints or credential usage (the code calls open.feishu.cn as expected); (2) back up your repo or work on a feature branch because the apply-skill step writes files and modifies src/channels/index.ts; (3) ensure your .env contains only the Feishu credentials you want the app to read (the instructions copy .env into data/env/env); (4) run tests/build locally and inspect any merge conflicts; and (5) be aware an npm dependency (@larksuiteoapi/node-sdk) will be added — if you require stricter supply-chain assurance, audit that package/version before proceeding.

Review Dimensions

Purpose & Capability: okName/description (Feishu channel) match the manifest, SKILL.md, and included code. The package adds a Feishu channel implementation, unit tests, an import line to the channel barrel, and an npm dependency for the official Lark SDK — all expected for this feature.
Instruction Scope: noteInstructions perform project-local changes: check .nanoclaw/state.yaml, run the skills engine to apply the included files, update .env and copy it into data/env/env, run tests/build, and restart the service. These steps are appropriate for integrating a new channel, but they do modify repository files and sync the .env into the container environment — review the changes and ensure .env does not contain unrelated secrets before copying.
Install Mechanism: noteNo automated installer is embedded; SKILL.md instructs using the project's apply-skill script (npx tsx) which will add files and install the npm dependency @larksuiteoapi/node-sdk. Installing an npm package is expected for this integration, but it is a moderate-risk action (third-party npm dependency).
Credentials: noteThe skill only requires Feishu app credentials (FEISHU_APP_ID and FEISHU_APP_SECRET) which are appropriate. One operational detail: the workflow copies the repository .env into data/env/env for container consumption — ensure that .env only contains credentials you intend to expose to the application runtime.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It modifies the local channel index (appending an import) and self-registers, which is expected behavior for adding a channel. Autonomous invocation remains the platform default but is not combined with other red flags here.