feishu-bitable
v1.0.0Manage Feishu Bitable by listing tables and adding records or tasks using provided app credentials.
⭐ 3· 6.8k·112 current·115 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and README state this is a Feishu Bitable helper and list FEISHU_APP_ID / FEISHU_APP_SECRET as configuration, but the registry metadata declares no required environment variables or primary credential. The code depends on a getTenantAccessToken implementation from a separate 'feishu-doc' skill (via relative paths) which is not included in this package, creating a capability mismatch: the skill assumes other skill files and secrets exist but does not declare or ship them. Also there is a hard-coded appToken string in both add_task.js and add_task_dynamic.js, which is unexpected for a generic helper and suggests either leakage of a real app id or sloppy packaging.
Instruction Scope
SKILL.md describes library usage only, but both JS files contain a main() function that is invoked at top-level — requiring or executing these files will perform network calls (list tables / add records). The code also imports an auth module from a sibling skill path (../feishu-doc/lib/auth or ../../skills/feishu-doc/lib/auth), i.e., it expects to read code/credentials outside its declared boundary. SKILL.md does not mention these side effects or cross-skill file reads.
Install Mechanism
There is no install spec (instruction-only style), and dependencies are standard npm modules (dotenv, node-fetch) listed in package.json/package-lock.json — no external downloads or extract steps. That is low-risk for installation, but the package does include executable JS files that run network operations on load; the absence of an install spec means the agent/environment may run these files directly.
Credentials
The code clearly needs Feishu credentials (it calls getTenantAccessToken and SKILL.md names FEISHU_APP_ID / FEISHU_APP_SECRET), but the skill metadata declares no required env vars or primary credential. This mismatch hides the fact that installing or running the code will require providing Feishu secrets; additionally, the presence of a hard-coded appToken in the code is disproportionate and may expose/lock usage to that app id.
Persistence & Privilege
The skill does not request permanent presence (always:false) and uses default autonomous invocation rules. It doesn't explicitly modify other skills or system config. However, its cross-skill imports (attempting to reach feishu-doc/lib/auth) imply it expects access to files belonging to other skills; if run in an environment where sibling skill directories exist, it could read their auth implementation and thus indirectly access credentials. Also, the top-level main() calls will execute immediately when the module is loaded, giving it runtime impact without explicit user invocation.
What to consider before installing
Before installing or running this skill: 1) Do not provide your FEISHU_APP_ID / FEISHU_APP_SECRET until the developer clarifies why the package metadata omitted them. 2) Inspect the 'feishu-doc/lib/auth' module (or the platform's equivalent) that this code imports — the skill expects to call getTenantAccessToken from another skill; confirm that module is legitimate and won't leak tokens. 3) Note the JS files call main() at top-level and will perform network calls (list/add records) immediately; avoid auto-running these files in production. 4) Remove or review the hard-coded appToken values — they may be a leaked credential or may cause unexpected behavior. 5) If you need this capability, ask the author to: declare required env vars in the skill metadata, remove top-level side effects (export functions only), avoid importing sibling-skill paths, and avoid hard-coded secrets. If you cannot verify these points, test the skill in an isolated environment and do not use real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97catxh5dnxak2txb7fj87f458167qv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.