Feishu Doc

The skill broadly matches a Feishu document reader/writer, but its metadata, runtime instructions, and shipped files are inconsistent and include cached Feishu content that may be sensitive — review before installing or providing credentials.

Do not give this skill your FEISHU_APP_ID or FEISHU_APP_SECRET until you verify its origin and code. Actionable steps: - Confirm publisher identity and a homepage or repo; the 'Source: unknown' and no homepage are red flags. - Review index.js and lib/auth.js before running; verify there are no undocumented outbound endpoints (other than open.feishu.cn) or telemetry. Pay attention to any code that posts data to non-Feishu URLs. - Remove or examine the cache/ files: the package includes many cached Feishu docs (some large). Those caches may contain sensitive organizational data — decide whether you want those files bundled in the skill at all. - Ensure you only install 'feishu-common' from a trusted source; the skill depends on ../feishu-common and ../common/env which may change runtime imports. - If you proceed, run the skill in an isolated environment (sandbox/container) and monitor network traffic the first time it runs. - If you cannot audit the code (index.js and all lib/*.js), prefer an officially published Feishu integration or a skill with clear dependency and credential declarations. Confidence note: medium. The package appears to implement the claimed Feishu features, but the mismatches between metadata and the code/README, plus the presence of bundled cached documents and base64-encoded filenames, make the package suspicious and worth manual review before trust or credential entry.