Skillv1.0.0

ClawScan security

feishu-video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 4:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The code and instructions implement sending audio/video to Feishu as advertised, but the package/registry metadata omits required binaries and required Feishu credentials — an incoherence that should be resolved before trustfully installing or granting credentials.
Guidance: This skill's code correctly implements converting and sending audio/video to Feishu, but the registry entry is inconsistent: it does not declare required binaries (ffmpeg/ffprobe) or the Feishu credentials the scripts need. Before installing or running: (1) confirm you trust the author and repository source; (2) only provide FEISHU_APP_ID and FEISHU_APP_SECRET to this code if the app has the minimal required scopes (messaging/file upload) and you understand the app's privileges; (3) run the scripts in an isolated environment (container) if you want to limit risk; (4) verify ffmpeg/ffprobe are from trusted packages; and (5) ask the publisher to correct the registry metadata to list required binaries and required environment variables so automated review and permission prompts are accurate.

Review Dimensions

Purpose & Capability: concernThe scripts (send-voice.mjs, send-video.mjs, convert-audio.sh) and SKILL.md all implement sending OPUS audio and MP4 video to Feishu using the Open API — this matches the skill's described purpose. However the registry metadata claims no required binaries or environment variables while SKILL.md and the scripts explicitly require ffmpeg/ffprobe and Feishu App credentials (app_id/app_secret and target user/chat ids). The omission in the declared requirements is an incoherence.
Instruction Scope: okSKILL.md instructs the agent to convert audio to OPUS, get duration, obtain a tenant access token from Feishu, upload the file, and send the audio/video message. The instructions reference only local audio/video files and the Feishu Open API endpoints; they do not ask for unrelated system files or external endpoints outside Feishu. The runtime behavior described is within the stated purpose.
Install Mechanism: okThere is no install spec (instruction-only registry entry) and the repository contains CLI scripts. Nothing in the manifest downloads or executes code from remote URLs or adds persistent system-wide hooks. Risk from installation is low; however the skill relies on system binaries (ffmpeg, ffprobe) that must be present but are not declared in registry metadata.
Credentials: concernThe scripts require Feishu App credentials (app_id and app_secret) supplied either as CLI arguments or environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET). The registry metadata listed no required env vars or primary credential. Requesting these credentials is proportional to the skill's purpose, but the metadata omission is a red flag (it prevents automated gating and review of requested secrets). No unrelated secrets or extra cloud credentials are requested by the code.
Persistence & Privilege: okThe skill does not request 'always: true' or any persistent elevated privilege. It doesn't modify other skills or system-wide configuration. Autonomous invocation is enabled by default but that is normal; no additional persistence was observed.