by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what it claims (write structured logs to Feishu) but contains several inconsistencies and risky practices (undeclared required credentials, hard-coded default credentials, and reading/writing OpenClaw config files) that warrant caution before installing.
评估建议
What you should check before installing/use:
- Expectation vs reality: The skill's metadata said no env vars, but the code and SKILL.md require FEISHU_APP_ID and FEISHU_APP_SECRET (and a DEFAULT_OWNER_ID). Don't rely on the registry metadata alone.
- Credentials in code: Several source files include hard-coded default app_id, app_secret, and folder tokens. Treat these as suspicious — they may be placeholders, but you should not use them. Replace with credentials from an app you control.
- Ten...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (write structured logs to Feishu) matches the code. However registry metadata declares no required environment variables while SKILL.md and the code clearly require FEISHU_APP_ID, FEISHU_APP_SECRET and a DEFAULT_OWNER_ID (or equivalent config files). The code also contains built-in default app_id/app_secret and folder tokens which are unexpected in a published skill and may indicate leaked/placeholder credentials. Requiring tenant-level app credentials (tenant_access_token) is coherent for this integration, but the metadata omission and hard-coded defaults are inconsistent.
⚠ 指令范围
SKILL.md describes using tenant_access_token and creating folders/docs — consistent. But runtime instructions and code do more: they read/write files under the user's home (~/.openclaw/workspace/.env, ~/.openclaw/feishu-credentials.json, ~/.openclaw/openclaw.json), offer an interactive credential configurator, and indicate automatic adding of users as full_access collaborators. Reading the global OpenClaw config to pull credentials and writing persistent credential files expands scope beyond ephemeral API calls and should be reviewed by the user.
✓ 安装机制
There is no remote install step; this is instruction + local code only. No external download URLs or extract steps are present. That lowers supply-chain risk compared to remote installers.
⚠ 凭证需求
The skill legitimately needs Feishu app credentials (app_id/app_secret) to obtain a tenant_access_token. However: (1) the registry metadata claims no required env vars while SKILL.md and code require them; (2) multiple files contain hard-coded default app_id/app_secret and folder tokens (placeholders or real) — storing credentials in source is risky; (3) the skill requests tenant-level capability (drive/docx and permission management) which grants broad access to the organization's files. These factors together increase the blast radius if credentials are misused.
ℹ 持久化与权限
The skill does not set always:true and does not request elevated agent privileges. However it persists credentials/config to the user's home (~/.openclaw/...), and will add users as collaborators with full_access on created folders. Persisting app secrets to disk and modifying OpenClaw config are permanent actions the user should explicitly consent to.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/13
feishu-log 1.0.2 Changelog - 优化了「使用方式」中的示例内容,使用户更容易理解日志内容输入格式。 - 精简和优化了文档开头部分,统一使用更直观的 Markdown 列表。 - 移除了冗余文本,保持说明简明易读,避免信息重复。 - 其余流程、权限说明、输出示例等未做功能性更改,仅修正文档表达。
● 可疑
安装命令
点击复制官方npx clawhub@latest install feishu-log
镜像加速npx clawhub@latest install feishu-log --registry https://cn.longxiaskill.com