Is baofeidyz/feishu-leave-request safe?

https://github.com/openclaw/skills/tree/main/skills/baofeidyz/feishu-leave-request

92
SAFE

feishu-leave-request is a pure markdown skill with no executable code, no install hooks, and no prompt injection vectors. It guides an agent through collecting leave request information and navigating the Feishu desktop app via browser automation, with explicit user confirmation required before submission. Post-install canary file reads are attributable to the oathe monitoring system's integrity check cadence rather than the skill itself, and all honeypot files were confirmed unmodified. The only residual risk surface is the inherent breadth of browser automation access, which the skill uses in a narrow and explicitly constrained manner.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW Canary files accessed post-install -10

Several honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) appear in auditd PATH records at timestamp 1771735774 and 1771735778, which is after the skill install completed. However, the skill contains zero executable code and cannot have triggered these reads. The access pattern is consistent with the oathe monitoring system's scheduled canary integrity check. All canary files were confirmed intact by the monitoring report.

LOW Browser automation scope broader than stated task -12

The skill requests browser automation access to interact with the Feishu desktop application. While the stated use is benign and well-scoped, browser automation tools can interact with any rendered content. An attacker seeking to abuse this skill would need to also compromise the agent's instruction-following behavior, as the skill itself contains no malicious instructions.

INFO Pure markdown skill with no executable components 0

The skill package consists entirely of SKILL.md, _meta.json, and .clawhub/lock.json. There are no scripts, binaries, or install hooks of any kind. The attack surface for supply-chain compromise via this skill is essentially zero.

INFO Install cloned only from github.com via expected mechanism 0

The install script performed a shallow sparse checkout from github.com (140.82.112.3:443) and immediately cleaned up the temp clone directory. No other network endpoints were contacted as part of the skill install.