Feishu All In One
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Feishu integration matches its stated purpose, but it needs bot credentials, can send/upload content, and can run a background callback listener.
Before installing, confirm that you want this skill to operate a Feishu bot with message, file, and callback privileges. Protect the App Secret, verify dependencies, review the Gateway forwarding settings, and only send files or messages to intended recipients.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring this skill lets the bot act in your Feishu tenant with the permissions you grant.
The skill asks for Feishu app credentials and bot permissions that can send messages, upload/download files, and read basic user info.
FEISHU_APP_ID ... FEISHU_APP_SECRET ... im:message:send_as_bot ... im:file:upload ... im:file:download ... contact:user.base:readonly
Use a least-privilege Feishu app, grant only the permissions needed for the features you will use, and protect or rotate the app secret if exposed.
If the agent or user selects a sensitive local file, that file can be uploaded and sent through Feishu.
The file sender uploads a user-specified local file to Feishu, which is central to the stated file-send feature but can expose the chosen file.
parser.add_argument("--file", required=True, help="Local file path") ... files = {"file": (file_path.name, f)} ... requests.post(FEISHU_UPLOAD_URLOnly provide file paths and recipient IDs intentionally, and require review before sending private or business-sensitive files.
The listener may keep operating beyond the immediate task and continue reacting to Feishu card actions.
The documented callback server runs in the background and continues processing Feishu card click events after startup.
node card-callback-server.js & ... 长连接方式监听卡片点击事件 ... 自动处理按钮回调
Run the callback server only when needed, monitor the process, and stop it when callback handling is no longer required.
Card click or form callback data may leave Feishu and be delivered to the configured Gateway, which could be local or another configured URL.
When a Gateway token is configured, card callback data is forwarded to the configured OpenClaw Gateway endpoint.
enabled: config.gateway?.enabled !== false // 默认启用 ... data: callbackData ... await axios.post(`${GATEWAY_URL}/api/callback`, payloadVerify the Gateway URL and token, avoid collecting unnecessary sensitive form data, and set gateway.enabled to false if callback forwarding is not desired.
Dependency packages will run or be imported locally and may affect the local environment.
The skill instructs users to install Node and Python dependencies manually; this is expected for callbacks and speech transcription but introduces third-party package trust.
# 安装依赖(只需一次) npm install ... python3.11 -m pip install faster-whisper
Review package.json/package-lock and Python packages before installing, and run the skill in an environment appropriate for third-party dependencies.