ClawAudit verdict

feishu-pdf-uploader

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Uploads local PDF files to Feishu Drive using the official three-step upload API; credentials are used only to obtain a Feishu tenant access token and the skill explicitly states they are not stored or sent elsewhere.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

55
security
70
transparency
70
maintenance

Findings (4)

Pattern match critical

Possible hardcoded credential

SKILL.md · code · token="VnTdf2MNglfgPtdrhCxcSTdOnZd

Pattern match medium

Accesses OpenClaw config/secrets directly

scripts/upload_pdf.py · prose · downgraded · ~/.openclaw/openclaw.json

Pattern match low

Python os.environ.get — reads environment variable

scripts/upload_pdf.py · prose · downgraded · os.environ.get(

Pattern match low

Python os.getenv — reads environment variable

uploader.py · prose · downgraded · os.getenv(

Permissions & capabilities

Requires 1 system binary.

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API