Feishu Group
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly purpose-aligned, but it stores Feishu contact data in the agent’s startup context and syncs raw names into that context, which creates privacy and prompt-poisoning risks.
Install only if you are comfortable putting Feishu names and open_ids into USER.md for the agent to read across sessions. Protect USER.md and openclaw.json, review the generated table, avoid sharing or committing it, and consider sanitizing contact names or using a scoped lookup tool instead of embedding the directory in the system prompt.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may carry a Feishu contact directory across tasks and conversations, increasing exposure if USER.md is shared, committed, or included in unintended contexts.
The skill intentionally stores Feishu directory mappings in persistent prompt context. This supports the stated purpose, but users should understand that names and identifiers become reusable agent context.
Embed an `open_id → name` lookup table in USER.md. Since workspace files are injected into the system prompt
Keep USER.md private, avoid committing it to shared repositories, and consider storing the lookup in a scoped tool or data file rather than system-prompt context.
A crafted directory entry could confuse sender lookup or inject text that influences the agent in later sessions.
Feishu-supplied names and open_ids are written into the USER.md table without escaping or sanitization. Because SKILL.md says USER.md is injected into the system prompt, a malformed or attacker-controlled contact name could become persistent prompt content.
table_rows = "\n".join(f"| {u['name']} | {u['open_id']} |" for u in users)Escape Markdown table characters and newlines, validate contact fields, and add explicit instructions that the contact table is data only and must not be treated as instructions.
A user may enable full contact syncing or share USER.md while underestimating that it contains personal directory identifiers.
Names and app-specific open_ids can identify people within the Feishu app, so saying there is no PII under-discloses the privacy impact.
Only names and open_ids are stored (no emails, phones, or PII)
Revise the privacy statement to say that names and open_ids are personal identifiers, explain retention and access risks, and recommend protecting USER.md.
Running the script grants it whatever Feishu contact-read authority the configured app has, potentially including the full organization directory.
The script uses configured Feishu app credentials to obtain contact data. This is expected for the sync purpose, but it relies on sensitive app-level access.
Pulls the full user list from Feishu contacts API using app credentials from openclaw.json
Use the least-privileged Feishu app permission needed, protect openclaw.json, and run the sync only for accounts you intend to expose to the agent.
Contact data in the agent context may change automatically each week and persist after the user forgets about the scheduled job.
The skill documents an optional recurring background sync. It is disclosed and scoped, but it continues reading credentials and updating USER.md until the crontab is removed.
Set up weekly auto-sync via crontab: 0 7 * * 1 python3 /path/to/scripts/sync_feishu_contacts.py ~/.openclaw/openclaw.json my_app ~/workspace/USER.md
Use the cron job only if needed, document it, review USER.md after syncs, and remove the crontab entry when uninstalling or disabling the skill.