Back to skill
Skillv1.0.1
ClawScan security
Feishu Sender · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared environment variables, and runtime instructions are consistent with a Feishu (Lark) messaging/sending tool and do not request unrelated credentials or suspicious installs.
- Guidance
- This skill appears to do what it says: send messages and files to Feishu. Before installing or using it: (1) verify the FEISHU_APP_ID/SECRET and chat ID come from a dedicated Feishu app with minimal permissions; (2) review the included Python code if you don't trust the publisher (it will upload any file path you supply and will load a .env file into your environment); (3) ensure the runtime has the 'requests' package available or install it in an isolated environment; (4) avoid passing sensitive local files to the CLI unless you intend to transmit them; and (5) prefer creating an app/credentials with least privilege and monitor outgoing traffic to open.feishu.cn. If you want extra assurance, run the code in a disposable/isolated environment and inspect network requests.
Review Dimensions
- Purpose & Capability
- okName/description (send messages/files to Feishu) match the declared env vars (FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_CHAT_ID) and the included code implements token retrieval, file/image upload, and message sending to open.feishu.cn.
- Instruction Scope
- noteSKILL.md and the CLI instruct setting FEISHU env vars or a .env file and calling the CLI or library. The code will read any file paths you pass (to upload/send) and will optionally load a provided .env file into os.environ — this is expected for a sender but means the skill will transmit any local file you explicitly provide.
- Install Mechanism
- okNo install spec (instruction-only). The code uses the requests library but no installer is declared. No remote download URLs or archive extraction are present.
- Credentials
- okOnly FEISHU_APP_ID, FEISHU_APP_SECRET, and FEISHU_CHAT_ID are required — these are the expected credentials for Feishu Open API. The code does not request additional unrelated secrets or config paths.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide persistence or modify other skills. It runs only when invoked and performs network calls to the official Feishu Open API domain.