中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:1 day ago Rescan
0 /100
feishu-mention
Feishu @Mention Resolver — auto-converts @name mentions to <at> XML tags using OpenClaw config and Feishu API
A legitimate Feishu mention resolver that reads OpenClaw config, caches to a scoped directory, and calls official Feishu APIs. No hidden functionality, credential exfiltration, or suspicious behavior detected.
Skill Namefeishu-mention
Duration29.5s
Enginepi
Safe to install
No action needed. The skill is safe to use.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned index.js:51 — reads ~/.openclaw/openclaw.json
Filesystem WRITE WRITE ✓ Aligned index.js:34-36 — writes to ~/.openclaw/workspace/cache/feishu_mentions/
Network READ READ ✓ Aligned index.js:95,138,165 — HTTPS calls only to open.feishu.cn official APIs
3 findings
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/bot/v3/info
index.js:95
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
index.js:138
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/chats/$
index.js:165

File Tree

13 files · 43.9 KB · 1416 lines
Markdown 7f · 637L JavaScript 4f · 495L Python 1f · 254L JSON 1f · 30L
├─ 📁 assets
│ ├─ 📝 debug_guide.md Markdown 94L · 2.5 KB
│ ├─ 📜 example_usage.js JavaScript 60L · 1.8 KB
│ └─ 📜 send_message_example.js JavaScript 63L · 1.7 KB
├─ 📁 scripts
│ └─ 🐍 mention_resolver.py Python 254L · 8.9 KB
├─ 📝 AGENTS.md Markdown 80L · 2.9 KB
├─ 📝 FEISHU_MESSAGE_FORMAT.md Markdown 79L · 1.7 KB
├─ 📜 index.js JavaScript 352L · 11.5 KB
├─ 📝 integration.md Markdown 109L · 3.0 KB
├─ 📋 package.json JSON 30L · 686 B
├─ 📝 QUICKSTART.md Markdown 88L · 2.9 KB
├─ 📝 README.md Markdown 89L · 2.3 KB
├─ 📝 SKILL.md Markdown 98L · 3.4 KB
└─ 📜 test.js JavaScript 20L · 621 B

Security Positives

✓ No credential exfiltration: appSecret is used server-side to obtain tokens, never exposed
✓ Scoped filesystem access: only reads ~/.openclaw/ and writes to a dedicated cache subdirectory
✓ Network calls restricted to official Feishu API endpoints (open.feishu.cn)
✓ No base64, eval, or obfuscation patterns found
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Python script (scripts/mention_resolver.py) is a feature-equivalent port with no extra functionality
✓ SKILL.md accurately describes all capabilities and API interactions
✓ No subprocess, shell execution, or remote script download patterns
✓ Caching is transparent and scoped to the declared directory