Find and download files from Feishu chat history by filename.

This skill's behavior (using the Feishu SDK to search chat history and download files) is coherent with its description, but there is an important metadata mismatch: the registry entry does not declare the FEISHU_APP_ID and FEISHU_APP_SECRET env vars that both SKILL.md and the code require. Before installing or running this skill: 1) Only provide FEISHU_APP_ID/FEISHU_APP_SECRET for an app you created or trust; prefer an app with minimal permissions (read-only access to the specific chat scope). 2) Review package.json and the exact versions of dependencies (npm install will pull @larksuiteoapi/node-sdk and commander). 3) Run the skill in a sandboxed environment or container to limit filesystem/network exposure; it will write downloaded files to disk. 4) Ask the publisher to update registry metadata to declare the required environment variables and to provide a homepage/source repo for auditing. 5) If you need higher assurance, audit the SKILL.md and index.js yourself or have a trusted reviewer confirm there are no unexpected network endpoints or credential exfiltration paths (none were detected in the provided code).

Type: OpenClaw Skill Name: feishu-doc-finder Version: 1.0.0 The skill's primary function is to find and download files from Feishu, which aligns with its description. It accesses `FEISHU_APP_ID` and `FEISHU_APP_SECRET` from environment variables, which is necessary for its operation, and there is no evidence of exfiltration. However, the `index.js` script constructs the output file path using `path.join(options.output, fileName)`. If the `fileName` retrieved from the Feishu API contains path traversal sequences (e.g., `../../evil.sh`), a malicious file could be written outside the intended output directory. This represents a potential path traversal vulnerability, classifying the skill as suspicious due to this risky capability, even though there's no clear evidence of intentional malicious behavior by the developer.