技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.1
统计:⭐ 1 · 2k · 49 current installs · 53 all-time installs
⭐ 1
安装量(当前) 53
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:autogame-17/feishu-common
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill mostly looks like a legitimate Feishu helper, but its runtime behavior (loading ../../.env and reading/writing token files outside the skill directory) and missing declared credentials are inconsistent and warrant caution.
目的
The name/description claim a small shared Feishu helper, which fits the code's purpose. However the package does not declare required environment variables or config paths even though index.js expects FEISHU_APP_ID and FEISHU_APP_SECRET (via dotenv) and writes a token cache to a relative path outside the package (../../memory/feishu_token.json). Those filesystem and credential accesses are not described in the metadata or SKILL.md and are disp…
说明范围
SKILL.md instructs dependent skills to require the module but does not mention that the module will: (1) load ../../.env into process.env using dotenv, (2) read FEISHU_APP_ID and FEISHU_APP_SECRET from process.env, and (3) create/read a token cache under ../../memory/feishu_token.json. Those actions access files and potentially other environment secrets outside the skill's directory and are not documented in SKILL.md.
安装机制
The skill is instruction-only (no install spec), which minimizes install-time risk. However package.json/package-lock are included (dependencies: axios, dotenv) but there is no declared install step — at runtime the environment may not have these packages available. This is inconsistent but not directly malicious. No external download URLs or archive extraction are used.
证书
The registry metadata declared no required env vars or primary credential, but the implementation requires FEISHU_APP_ID and FEISHU_APP_SECRET (sensitive credentials) and loads a ../../.env file. This mismatch means the skill will expect secrets that were not disclosed by the skill metadata and could read other variables from the .env it loads.
持久
The code writes a persistent token cache to ../../memory/feishu_token.json and will create the directory if missing. That gives the skill write access to a location outside its own folder and could conflict with or expose tokens used by other components. The skill is not marked always:true, but its filesystem persistence and cross-directory access are privileges not documented in SKILL.md or metadata.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Feishu Common」。简介:Provides shared Feishu authentication, tenant token caching, retry handling, an…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/autogame-17/feishu-common/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。