by 安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to implement Feishu interactive card sending as described, but it omits/obscures where the required Feishu credentials must be configured and the plugin metadata and code are inconsistent — this mismatch is suspicious and should be clarified before installing.
评估建议
This plugin is coherent with its stated purpose (sending Feishu interactive cards), but before installing you should: 1) Confirm where Feishu credentials (appId and appSecret) must be stored — the code expects them in api.config.channels.feishu.accounts (not in env vars) but the plugin metadata/SKILL.md do not document this. 2) Understand that those credentials will be used to request tenant_access_tokens and to send/patch messages on your Feishu tenant (i.e., the plugin can act as the configure...详细分析 ▾
⚠ 用途与能力
Name/description match the code: the skill builds and sends Feishu Card JSON (schema 2.0). However, the code expects Feishu credentials (appId/appSecret) in api.config.channels.feishu.accounts, but the plugin metadata (openclaw.plugin.json and SKILL.md) do not declare or document these required credentials or config paths. That config requirement is not made explicit to the user and is therefore disproportionate to the stated 'no env vars / no creds' registry metadata.
ℹ 指令范围
SKILL.md instructs the agent to install the feishu-cards plugin and use the provided tools (feishu_send_card / feishu_send_form / feishu_update_card). It correctly limits network calls to Feishu APIs for sending/updating cards. However, SKILL.md does not clearly document that the agent must have Feishu account credentials configured (appId/appSecret) or where to place them; it does mention the built-in feishu plugin for callbacks but lacks configuration guidance.
✓ 安装机制
Install spec is an npm plugin (@openclaw/feishu-cards). This is a standard registry install mechanism (no arbitrary URL downloads or archive extraction). package.json lists the plugin and a peer dependency on @openclaw/feishu, which is expected.
⚠ 凭证需求
Registry metadata reports no required environment variables or primary credential, but the code clearly requires Feishu appId/appSecret stored in agent config (cfg.channels.feishu.accounts). Requesting secret credentials without declaring them in requires.env/config schema is a mismatch and a security concern: users may not realize where secrets are stored or that the plugin will use them to obtain tenant_access_tokens and send messages on their behalf.
✓ 持久化与权限
The skill is user-invocable and not force-included (always:false). It registers tools for explicit use and does not request global modifications or permanent elevation. Autonomous invocation is allowed by default but is not combined with other high-risk flags here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.12026/3/15
修复 src/send-card.ts 中 form_action_type 错误值:action_type:form_submit/form_reset → form_action_type:submit/reset(JSON 2.0 正确字段)
● 无害
安装命令
点击复制官方npx clawhub@latest install feishu-card-v2
镜像加速npx clawhub@latest install feishu-card-v2 --registry https://cn.longxiaskill.com