Skillv1.0.0

ClawScan security

Feishu Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 5:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documented capabilities align with a Feishu/Lark integration, but there are inconsistencies and unclear runtime behaviors (missing declared env vars, a macOS screenshot step, and an unspecified 'cron' scheduler) that warrant caution before installing.
Guidance: Before installing or providing secrets: 1) Ask the publisher for a source repo or homepage and request that registry metadata be updated to declare FEISHU_APP_ID and FEISHU_APP_SECRET so requirements are transparent. 2) Only create a Feishu app with the minimum required scopes and consider using an app/account limited to a test workspace. 3) Confirm what the 'cron' command refers to and where scheduled tasks run—do not allow hidden background scheduling without understanding the runtime. 4) The screenshot step uses macOS 'screencapture' and will capture local screen contents; avoid running that on machines with sensitive data unless you trust the skill and runtime. 5) If you decide to proceed, store credentials in a revocable way and plan to rotate/revoke the FEISHU_APP_SECRET if you uninstall the skill or if anything suspicious occurs. 6) If you cannot verify the publisher or the missing metadata is not corrected, treat this skill as untrusted and avoid installing it in production or on machines with sensitive information.
Findings: [no_regex_findings] expected: The static scanner found nothing because this is an instruction-only skill (only SKILL.md present). That absence of findings is not evidence of safety; the SKILL.md itself is the primary runtime surface to review.

Review Dimensions

Purpose & Capability: noteThe name/description match the SKILL.md: it uses Feishu APIs to read/write Docs/Sheets/Wiki, fetch IM history, upload/send files, manage permissions, and create reminders—these all legitimately require a Feishu app ID/secret and API calls. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly asks for FEISHU_APP_ID and FEISHU_APP_SECRET. Also the skill includes platform-specific behavior (macOS screenshot) which is not mentioned in registry metadata.
Instruction Scope: concernMost instructions are explicit REST/API calls to Feishu endpoints (expected). Concerns: 1) The screenshot flow runs a local 'screencapture' command on macOS and writes a file in $TMPDIR — this reads the user's screen and local filesystem and could capture sensitive information. 2) The 'cron add' example references a 'cron' CLI with flags (--session, --system-event) but never explains what tool provides this command or where scheduled tasks run; that ambiguity could allow persistent or background actions beyond the user's intent. 3) SKILL.md tells the agent to use tenant access tokens (normal) but gives the agent instructions that, if executed autonomously, will access local resources and schedule recurring messages.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That minimizes installation-time risk. Runtime actions (API calls, local screencapture) remain possible if the agent follows the instructions.
Credentials: concernThe SKILL.md legitimately requires FEISHU_APP_ID and FEISHU_APP_SECRET (sensitive credentials) which are proportional to the stated Feishu integration. However, the registry metadata did not declare any required env vars or a primary credential — this mismatch reduces transparency and is a red flag. The app secret grants API access and should only be provided if you trust the skill and runtime environment; it should also be scoped to the minimum permissions needed.
Persistence & Privilege: okThe skill is not always-enabled (always:false) and does not request system-wide configuration changes in the manifest. That said, the 'cron' scheduling behavior could enable persistent scheduled actions if the agent or runtime executes it; the skill does not explain whether scheduling is local to the agent runtime or managed elsewhere, so confirm how scheduled tasks are implemented before granting broad permissions.