ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Identity Routing

v0.1.0

Build and use a Feishu/Lark cross-app identity master for multi-agent, multi-account routing. Use when mapping the same user across different Feishu app open...

0· 67·0 current·0 all-time
by@wxfkuq2023
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Feishu identity routing) aligns with the bundled scripts and reference docs: the code implements merging, batching, and pending-review flows for a canonical feishu-user-master.json. That functionality is expected for this purpose. However, the implementation assumes a specific local workspace (/home/admin/.openclaw/workspace) which is not declared in the skill metadata and may not match a user's environment.
!
Instruction Scope
SKILL.md tells you to create identity/feishu-user-master.* files, which fits the purpose. But the runtime scripts read/write a hardcoded absolute path (/home/admin/.openclaw/workspace) that is not documented in SKILL.md or declared in requirements. The batch/usage strings in the scripts expect binaries at workspace/bin/... while the repository provides scripts/..., creating an invocation/path mismatch. review_feishu_pending.js also hardcodes reviewer identity strings like 'main-agent' contrary to the SKILL.md advice not to hardcode agent names.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is low-risk from an installation perspective because nothing is downloaded or executed automatically. However, the shipped scripts will perform filesystem writes when run.
!
Credentials
The skill declares no required env vars, but the scripts require write/read access to a specific filesystem location (/home/admin/.openclaw/workspace). This implicit config path is effectively a required resource but is not declared. The scripts do not request API keys or external credentials, which is proportional, but implicit reliance on a particular home directory and the hardcoded 'main-agent' reviewer are surprising and should be justified or parameterized.
Persistence & Privilege
The skill does not request always:true and won't autonomously persist beyond running its scripts; however the scripts will modify a workspace master JSON (create/update pending_reviews, subjects, rejected_reviews). This write access is expected for an identity master tool but is a privileged operation on local data — ensure the workspace path is correct and that you trust the code before allowing writes.
What to consider before installing
This skill implements a plausible Feishu identity merge/routing tool, but review and adjust before installing: - The scripts operate on /home/admin/.openclaw/workspace (hardcoded). If your workspace is elsewhere, update the scripts or provide that path — otherwise they may fail or write unexpected files. - There are path mismatches: the batch script expects workspace/bin/merge_feishu_identity.js but the repo provides scripts/merge_feishu_identity.js. Fix file locations or invocation strings before running the batch tool. - review_feishu_pending.js inserts reviewer metadata ('main-agent' / 'main-agent' noted in approvals). That contradicts the SKILL.md guidance; if you need different agent names, change the hardcoded strings. - Because the scripts write and overwrite identity files, back up any existing identity files and restrict file permissions before use. - Audit the scripts locally (they perform only local JSON read/write and spawn local node processes) and, if you will run them in automated agents, ensure the agent runs under a dedicated user with appropriate filesystem permissions. If you cannot or do not want to modify the scripts, treat this skill as untrusted until the hardcoded paths, invocation mismatches, and agent strings are corrected.
scripts/merge_feishu_identity_batch.js:26
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

feishuvk973er43k95qksekr3t086wkvx83xtsmidentity-routingvk973er43k95qksekr3t086wkvx83xtsmlatestvk973er43k95qksekr3t086wkvx83xtsmmulti-accountvk973er43k95qksekr3t086wkvx83xtsmmulti-agentvk973er43k95qksekr3t086wkvx83xtsm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments