Skillv1.0.0

ClawScan security

feishu-diagram-chooser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 6:44 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that recommends diagram types from a natural-language description; its declared inputs and behavior are internally consistent and it does not request credentials, binaries, or install artifacts.
Guidance: This skill is instruction-only and appears coherent for recommending diagram types; it does not request credentials or install code. Before using it: 1) test it with non-sensitive example descriptions to confirm behavior; 2) note the 'Feishu' name — the skill does not currently integrate with Feishu APIs, so if you expect platform posting you should verify that separately; 3) avoid sending sensitive data in the 'description' until you confirm how outputs are used by your agent; and 4) if a future version adds an install step or environment variables, re-evaluate because that would materially change the security posture.

Review Dimensions

Purpose & Capability: noteThe skill name and description (feishu-diagram-chooser) indicate a diagram-recommendation helper and the SKILL.md contains detailed intent classification, decision logic, and output schema that align with that purpose. One minor note: the name includes 'Feishu' which may suggest integration with Feishu platform APIs, but the skill declares no Feishu credentials or APIs — the skill appears to be a purely local chooser/generator of diagram recommendations rather than a Feishu integration.
Instruction Scope: okSKILL.md provides structured runtime instructions, trigger rules, input schema, output schema, and detailed mapping rules for choosing Mermaid/ECharts/image options. It does not instruct the agent to read files, environment variables, system paths, or to send data to external endpoints; it operates on the supplied 'description' and optional 'context' only.
Install Mechanism: okNo install spec and no code files are present (instruction-only). Nothing is written to disk or downloaded as part of the skill, which minimizes install risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The declared inputs (description, context) are appropriate and proportional to the stated functionality.
Persistence & Privilege: okalways:false (default) and autonomous invocation is allowed (disable-model-invocation:false) — this is the platform default. There is no request to modify other skills or system-wide settings and no persistence behavior declared.