Skillv1.0.0

ClawScan security

Feishu Openclaw Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 28, 2026, 4:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a Feishu↔OpenClaw integration, but the runtime instructions reference undeclared environment/config items and send chat/files to an external OpenClaw endpoint without clearly declaring those requirements — these inconsistencies deserve attention before installing.
Guidance: This skill appears to implement a normal Feishu ↔ OpenClaw bridge, but there are gaps you should resolve before use: - Confirm where OpenClaw will run: SKILL.md uses OPENCLAW_URL (default http://localhost:3000) but that environment variable is not declared. If you configure a remote OpenClaw, chat messages and file contents will be POSTed to that URL — only point it at a trusted, TLS-protected server. - Clarify and protect callback secrets: the instructions ask you to store encryptKey and verificationToken in ~/.openclaw/config/channels.json but these values are not listed as required env vars. Treat these secrets carefully (don't check into source control) and prefer environment variables or a secrets store. - Review data flow: the skill downloads uploaded files and sends their contents to OpenClaw for analysis. If those files contain sensitive data, ensure your OpenClaw deployment and network are trusted and access-controlled. - Metadata inconsistencies: the SKILL.md advertises a zero-code built-in path, yet the registry metadata requires node/npm. Ask the publisher to: (1) declare OPENCLAW_URL and any callback secrets in requires.env or explain why they are unnecessary, (2) set primary credential appropriately (FEISHU_APP_SECRET), and (3) clarify when node/npm are actually required. If you cannot verify the publisher or confirm these points, avoid installing or running the skill in production or on accounts with sensitive data. Run in an isolated environment and monitor network destinations it contacts.

Review Dimensions

Purpose & Capability: noteName/description, required binaries (node/npm), and FEISHU_APP_ID/FEISHU_APP_SECRET align with a Feishu integration that can run a Node-based bridge. However the SKILL.md advertises an 'OpenClaw built‑in' zero-code option but still requires node/npm in metadata — that is inconsistent (the built‑in path may not need node). Also primary credential is unset even though FEISHU_APP_SECRET is effectively the main secret.
Instruction Scope: concernThe instructions tell the agent/operator to read full chat history, download uploaded files, and POST message and file contents to an OPENCLAW_URL endpoint. That data flow is expected for an integration, but SKILL.md uses OPENCLAW_URL (and implicitly allows it to be remote) while OPENCLAW_URL is not declared in requires.env. The instructions also ask editing ~/.openclaw/config/channels.json (adds encryptKey/verificationToken) which is reasonable, but the skill fails to declare where encrypt/verification tokens should come from. Overall the agent would be permitted to collect and transmit potentially sensitive chat and file data to whatever OpenClaw endpoint is configured — this needs explicit declaration and security guidance.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is low-risk from an install/download perspective (nothing is written/executed by an installer).
Credentials: concernThe declared required env vars (FEISHU_APP_ID, FEISHU_APP_SECRET) are appropriate. But SKILL.md also relies on OPENCLAW_URL (defaulting to http://localhost:3000) and references encryptKey and verificationToken for Feishu callbacks without declaring them as required environment inputs. The omission means the runtime behavior (where data is sent) and required secrets are not fully specified. The skill does not request unrelated credentials, but the undeclared external endpoint and callback secrets are notable gaps.
Persistence & Privilege: okalways is false, no install spec, and the skill doesn't request system-wide persistent privileges. Agent autonomous invocation is allowed (platform default) but not combined with broad unexplained permissions here.