Skillv1.0.0

ClawScan security

多子代理配置飞书 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 9:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only guide that consistently documents how to configure multiple Feishu (飞书) bot accounts for OpenClaw sub-agents; nothing in the package attempts unexplained access or network activity.
Guidance: This package is an instruction-only guide for configuring multiple Feishu bot accounts and appears coherent with that purpose. Things to consider before installing: - The package owner and homepage are unknown; verify you trust this source before applying configuration changes. - You will need each Feishu AppID and AppSecret and will be asked to place them into openclaw.json; those are sensitive credentials—ensure the config file is stored with appropriate permissions and backups are handled securely. - The included config.json suggests an install step that copies files into skills/ even though the registry showed no install spec. If your platform will perform that copy, inspect the files to be copied first. - Follow the SKILL.md exactly (bindings must be top-level, both accounts need bindings) to avoid accidental default routing to the main agent. - Because this is instruction-only, there is no hidden code to analyze; nevertheless, review any changes you make to openclaw.json and restart the gateway in a controlled environment first.

Review Dimensions

Purpose & Capability: okSkill name/description (multi Feishu accounts for sub-agents) matches the instructions: editing openclaw.json, adding accounts and bindings, restarting the gateway and checking logs. Required secrets (AppID/AppSecret) are relevant and expected for this purpose.
Instruction Scope: okSKILL.md stays on-topic: it describes editing OpenClaw config, adding bindings, restarting gateway, and checking logs. The only file paths referenced are the OpenClaw config (openclaw.json) and OpenClaw log path (/tmp/openclaw/...), which are expected for this configuration task. No steps ask the agent to read unrelated system files, exfiltrate data, or call external endpoints.
Install Mechanism: noteRegistry metadata reported 'no install spec' and the package is instruction-only, but config.json includes an "install": { "method": "copy", "path": "skills/" } entry. This is a minor inconsistency: it suggests the package may be intended to be copied into skills/ during installation. Copying static files into a skills directory is normal, but the presence of this install hint should be considered by the installer.
Credentials: noteThe skill does not request environment variables or credentials from the platform; it instructs the user to place AppID/AppSecret values into openclaw.json. That is proportionate for configuring Feishu bots, but remember these are sensitive credentials—storing them in a config file requires appropriate file permissions and operational controls.
Persistence & Privilege: okSkill is instruction-only, not always-enabled, and does not request persistent elevated privileges. The only potential persistence action implied is copying the skill files into a skills/ directory per config.json, which is reasonable for a configuration guide.