Feishu Card JSON v2
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient or card content, the agent could send an unintended interactive message to a Feishu user or group.
The skill exposes tools that send and update Feishu card messages. This matches the stated purpose, but it can create or change visible workplace chat content.
`feishu_send_card` | 发送卡片消息 ... `feishu_update_card` | 更新已发卡片内容
Confirm recipients and card content before using the skill for group chats, broad announcements, approvals, or other business-sensitive messages.
The skill acts with whatever Feishu app permissions are configured for the selected account.
The plugin obtains a Feishu tenant access token from configured app credentials and uses it to call Feishu message APIs. This is expected for the integration, and the artifacts do not show credential logging or unrelated transmission.
body: JSON.stringify({ app_id: appId, app_secret: appSecret }) ... "Authorization": `Bearer ${token}`Use a least-privilege Feishu app/account, verify the configured `accountId`, and restrict who may ask the agent to send or update Feishu messages.
Future or mismatched Feishu plugin versions could behave differently than expected.
The package relies on a wildcard peer dependency for the Feishu plugin. This is common integration plumbing, but it is less tightly pinned than a fixed version.
"peerDependencies": { "@openclaw/feishu": "*" }Prefer installing from a trusted registry source and, where possible, pin or review the Feishu plugin version used in the OpenClaw environment.
Information entered into Feishu forms may be processed by Feishu and the OpenClaw Feishu callback integration.
Form submissions are routed back through Feishu card-action callbacks handled by another plugin. This is disclosed and purpose-aligned, but users should understand where submitted form data flows.
When the user submits the form, the field values arrive as a [CARD_ACTION] message. Requires the built-in feishu plugin to handle card action callbacks.
Avoid collecting highly sensitive information unless the Feishu app, callback handler, retention, and access controls are appropriate.