by 安全扫描
OpenClaw
可疑
high confidenceThe skill claims Feishu (Bitable) integration and automatic cloud sync, but the shipped code only reads/writes local JSON files and contains no Feishu API calls or credential handling — the pieces don't add up.
评估建议
Don't install assuming it will sync with Feishu/Bitable — the code stores customer data locally in data/feishu-crm/*.json and contains no Feishu API calls or credential handling. Ask the author for clarification or an updated release that actually implements Feishu integration and documents required credentials. If you proceed, be aware: (1) data will reside on the host filesystem (privacy/backups matter); (2) there's no declared credential handling, so this skill will not sync to Feishu as adve...详细分析 ▾
⚠ 用途与能力
SKILL.md and README claim Feishu/Bitable integration (automatic table creation, syncing) and features that imply remote API access, but index.js contains only local filesystem storage (data/feishu-crm/*.json) and no network or Feishu API usage. The declared requirements list no Feishu credentials. This is inconsistent and disproportionate to the stated purpose.
⚠ 指令范围
Runtime instructions state the skill 'uses existing Feishu API permissions, no extra configuration' and describes automatic creation of Bitable tables, but the actual code never accesses network or external endpoints and instead keeps all data locally. The instructions are misleading about where data is stored and what will happen at runtime.
✓ 安装机制
No install spec / no external downloads. The skill is instruction-only plus a small index.js that uses only built-in Node modules (fs, path). There is no package installation or remote archive extraction, so install risk is low.
⚠ 凭证需求
The skill requests no environment variables or credentials, yet describes integration with Feishu APIs. Either the skill expects platform-provided Feishu credentials (not declared) or the description is inaccurate. Missing credential declarations reduce transparency and are disproportionate to the claimed cloud integration.
✓ 持久化与权限
always is false and the skill is user-invocable. The code writes files only under a local data directory it creates in the current working directory; it does not modify other skills or system-wide configs. Privilege/requested persistence appears limited to its own data files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/13
添加核心功能:客户管理/跟进记录/自动提醒/销售漏斗/报表生成
● 无害
安装命令 点击复制
官方npx clawhub@latest install feishu-crm-lite
镜像加速npx clawhub@latest install feishu-crm-lite --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制