personal-worklist-via-feishu
ReviewAudited by ClawScan on May 12, 2026.
Overview
The skill’s Feishu worklist purpose is coherent, but it automatically creates persistent cron reminders and uses dynamic shell execution with under-declared Feishu credential access, so users should review it before installing.
Install only if you want this skill to manage a Feishu Bitable and create recurring OpenClaw reminder jobs. Before use, confirm the exact Feishu table, limit the Feishu app permissions, ask for explicit confirmation before cron setup, and review or patch the shell execution paths to use validated arguments.
Publisher note
v1.0.1 (2026-05-12) 问题修复 修复 skill 在 isolated cron session 中无法正常运行的问题 — preferences.json 改为绝对路径读取,确保在所有执行环境中都能正确读取用户语言设置和 open_id 修复 APP_TOKEN/TABLE_ID 未被动态填充到 cron 提醒消息的问题 新增功能 全语言支持:三条 cron 提醒消息(早/午/下班前复盘)均内置中英双语模板,AI 根据用户配置的语言设置自动选用对应内容输出 语言参数嵌入 cron 消息:每条提醒消息顶部明确标注当前配置的语言("中文" 或 "English"),确保 AI 始终以用户语言输出 已解决问题 定时任务现在可以在任何 session 上下文中正确触发并成功送达提醒 ## v1.0.1 (2026-05-12) ### Bug Fixes - Fixed skill malfunction in isolated cron sessions — preferences.json now uses absolute path instead of relative path, ensuring correct user language and open_id are read in all execution contexts - Fixed APP_TOKEN/TABLE_ID not being dynamically populated in cron reminder messages ### New Features - **Full bilingual support**: All cron reminder messages (morning/afternoon/evening review) now ship with both Chinese and English templates; AI automatically uses the configured language setting when generating output - **Language parameter embedded in cron messages**: Each reminder now explicitly states the configured language ("中文" or "English") so the AI consistently outputs in the user's language ### Known Issues Resolved - Timer tasks now correctly fire and deliver reminders regardless of which session context they run in
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may create recurring reminder jobs that continue running after the initial task, which can keep invoking the agent and interacting with the user’s Feishu worklist.
The skill tells the agent that adding or deleting cron jobs is already authorized and does not require confirmation, enabling persistent scheduled behavior without a fresh user approval step.
openclaw cron add/delete已授权,无需确认直接执行
Require an explicit user opt-in before creating, changing, running, or deleting cron jobs; show the exact schedule and provide a clear disable/delete command.
If an attacker or prompt-injected workflow can influence the language argument, extra shell syntax could potentially be executed in the local environment.
The script builds a shell command using the lang value and executes it. Although intended to run the reminder setup script, the argument is not visibly constrained at this call site.
const output = execSync(`node "${scriptPath}" --lang ${lang}`, {Avoid shell interpolation; use spawnFile/execFile with an argument array and validate lang strictly to zh or en before execution.
The skill can use the configured Feishu app credentials to read and modify the selected Feishu Bitable according to the scripts.
The skill uses local OpenClaw Feishu app credentials to obtain Feishu access, which is expected for this integration but is sensitive account authority.
APP_ID 和 APP_SECRET 自动从 OpenClaw 配置读取(channels.feishu.appId/appSecret)
Declare the Feishu credential/config dependency in metadata and ensure the Feishu app permissions are limited to the intended Bitable operations.
Accepting setup may alter the target Feishu Bitable by creating tables, fields, options, or task records.
The skill can create and update Feishu Bitable tables and fields. This is aligned with the worklist setup purpose but changes cloud data structures.
功能: * 1. 检查多维表格是否存在,不存在则自动创建 * 2. 检查必填字段是否存在+类型是否匹配,不存在或类型不匹配则创建/更新
Use it only with the intended Bitable, review the target APP_TOKEN/TABLE_ID, and back up important tables before initialization.