Feishu
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only Feishu integration, but it needs broad Feishu workspace access and can perform account-changing actions when authorized.
This skill appears benign and well-scoped for a Feishu command-center workflow, with default read-only behavior and confirmation requirements for sensitive actions. Before installing, use least-privilege Feishu credentials, confirm the publisher/source, and keep human review for messages, approvals, calendar changes, and business-critical table updates.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled in executive mode, the agent could change Feishu workspace data or send workplace communications after authorization.
The skill explicitly contemplates write actions in Feishu such as sending messages, editing tables, changing calendars, and triggering approvals. It also requires user confirmation, making this purpose-aligned but high-impact authority users should notice.
发送消息、修改表格、调整日程、触发审批等动作,必须经用户明确确认后才可执行
Keep the default counselor mode unless needed, require explicit confirmation for writes, and review drafts or proposed changes before allowing the agent to act.
A broadly scoped Feishu app credential could allow the connector to read or modify more workspace data than the user intends.
The skill requires Feishu application credentials. That is expected for the integration, but those credentials may grant access to tenant data depending on the Feishu app scopes.
"requires": { "env": [ "FEISHU_APP_ID", "FEISHU_APP_SECRET" ] }Use a dedicated Feishu app with least-privilege scopes, restrict tenant access where possible, and rotate the secret if the skill is removed or no longer trusted.
Incomplete or misleading Feishu content could influence summaries, reminders, reports, or proposed actions, and sensitive workplace information may be surfaced in the assistant context.
The skill is designed to retrieve and combine context from chats, documents, meetings, and transcripts. This is central to the stated purpose, but it means sensitive enterprise context may be summarized and reused in decisions.
合并跨群上下文,避免重复判断;跨文档搜索与归并;从录音/转写中抓出决策项和动作项
Check source links and summaries before acting, avoid asking it to process data outside your authorization, and do not rely on generated conclusions for legal, finance, or compliance decisions.
Users may have less assurance about who maintains the skill or whether the registry package matches the referenced repository.
The registry metadata does not provide an independently verified source or homepage, even though the package's skill.json lists a GitHub homepage. There is no executable install code, so this is a provenance note rather than a direct runtime concern.
Source: unknown; Homepage: none
Verify the publisher and repository before trusting the skill with production Feishu credentials.