feishu-chat-forwarder

The skill's code matches its stated purpose (fetch Feishu messages and merge-forward them) but it silently expects Feishu credentials, reads/writes files outside its folder, and has manifest/install inconsistencies that could lead to unexpected credential exposure or persistence.

Before installing, be aware this skill will call Feishu APIs and requires FEISHU_APP_ID and FEISHU_APP_SECRET even though the registry doesn't declare them. It looks for a ../../.env file and will write a token cache to ../../memory/feishu_token.json — verify where those paths point in your environment (they may be shared). Also note: package.json is missing dotenv dependency and the registry metadata doesn't list Node/npm as required, so you'll need to ensure Node and correct dependencies are installed. If you plan to use it: (1) only provide Feishu credentials you trust and consider using a service account with limited scope, (2) run the skill in an isolated/containerized environment so the token file cannot be read by other processes, (3) inspect or modify the code to (a) declare required env vars in the manifest, (b) avoid using ../../ paths or use a configurable, private cache location, and (c) add dotenv to dependencies or explicitly document installation steps. If the author cannot justify these mismatches, treat this skill as untrusted and avoid supplying real credentials.