Feishu User Auth
AdvisoryAudited by VirusTotal on Apr 7, 2026.
Overview
Type: OpenClaw Skill Name: feishu-user-auth Version: 1.0.0 The skill implements a standard OAuth2 authorization flow for Feishu, allowing an agent to obtain and cache user tokens locally. It uses a local loopback address (127.0.0.1:14578) for the authorization callback and stores credentials in a local directory (~/.codex/feishu-auth/), which is standard behavior for CLI-based authentication tools. The code in runtime.py and instructions in SKILL.md are consistent with the stated purpose and do not exhibit signs of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any later process that can read the cached token may be able to act with the authorized Feishu user permissions until the token is revoked or expires.
The skill obtains and stores Feishu user-level tokens so another skill can write Bitable rows as the current user. This is central to the purpose and disclosed, but it is delegated account authority.
换取 `user_access_token + refresh_token` ... 缓存在本机 `~/.codex/feishu-auth/content-system-sync.json` ... 再运行 `feishu-bitable-sync` 即可按用户身份写多维表
Install only if you trust the Feishu app and later sync workflow; review the app permissions, protect the cache file, and revoke or delete the token when it is no longer needed.
The reviewed files do not show malicious behavior, but the exact OAuth scopes, token exchange handling, and storage behavior depend on the external runtime helper.
The provided runtime delegates the browser OAuth flow, token exchange, and cache path logic to an external helper that is not included in the skill manifest, so those implementation details are outside this artifact review.
from skill_runtime.feishu_auth import ( ... run_browser_authorization, token_cache_path, )
Use this skill in a trusted OpenClaw/runtime environment and review or pin the referenced skill_runtime.feishu_auth implementation if handling sensitive Feishu data.