Back to skill
Skillv1.0.0
ClawScan security
Feishu Reading Notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 27, 2026, 6:54 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (scrape articles and save notes to Feishu) is plausible, but the runtime instructions embed Feishu credentials and require self-modifying local writes, which is disproportionate and risky.
- Guidance
- Before installing or running this skill consider: 1) The SKILL.md contains a hardcoded Feishu app_id and app_secret and many folder tokens — these are sensitive. Ask the publisher to remove embedded credentials and require you to provide your own Feishu app credentials (via env vars) and to document required API scopes. 2) The skill will write files under ~/.openclaw/workspace and update a local reading-notes-links.md; review and sandbox those writes first. 3) The instructions explicitly say to update SKILL.md itself — self-modification can change future behavior; avoid installing unless you trust the source or the SKILL.md is converted to a read-only policy. 4) Verify what Feishu folder(s) the skill will use and whether those folders belong to you; if you must use it, create a dedicated Feishu app/client with minimal drive scopes and rotate/revoke any unknown app_secret found in the file. 5) If unsure, run the skill in an isolated environment and monitor network calls (to open.feishu.cn and other endpoints) and filesystem changes. If the publisher cannot explain why credentials are embedded and why SKILL.md must be modified, treat the skill as risky.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to fetch articles and save Markdown notes to Feishu — the Feishu folder tokens and API calls in SKILL.md are consistent with that purpose. However, instead of declaring credentials as required env vars, the SKILL.md contains hardcoded app_id/app_secret and many folder tokens, which is unexpected and poor practice even if functional.
- Instruction Scope
- concernThe instructions tell the agent to: open a browser and evaluate page JS to scrape content (reasonable), write files under ~/.openclaw/workspace, create Feishu folders and upload files via the Feishu API (reasonable for the task), and explicitly update SKILL.md itself and a local index file when adding categories. Self-modifying the SKILL.md file and creating/updating files in the user's home directory broaden the scope and raise persistence/taint concerns.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files; that lowers install-time risk because nothing new is written to disk by an installer. The runtime still performs file writes and network calls.
- Credentials
- concernNo required env vars are declared, yet the SKILL.md embeds an app_id and app_secret and multiple folder tokens. Requesting no credentials while shipping hardcoded credentials is inconsistent and problematic: credentials embedded in the instructions may belong to a third party, grant broad access to a Feishu drive, or be stale/compromised. The skill also instructs writing to and reading from ~/.openclaw/workspace, which gives it access to user files in that path.
- Persistence & Privilege
- notealways is false and the skill is not forced-included. However, the runtime writes persistent files (saved notes and reading-notes-links.md) into the user's home workspace and instructs updating SKILL.md itself. That creates persistent state on the host and gives the skill ongoing local artifacts — acceptable for a notes tool but worth caution because SKILL.md modification can change future behavior.