Feishu Evolver Wrapper

The code mostly matches a Feishu reporting / lifecycle wrapper, but it uses many undeclared environment variables, reads/writes workspace/system files, spawns detached daemons, and builds/executes shell commands — behaviors that are coherent with the stated purpose but are broader and more persistent than the SKILL.md/registry metadata declare.

This skill appears to implement the advertised Feishu reporting and lifecycle features, but the package metadata omits the many environment variables and filesystem permissions the code requires. Before installing or running it: - Inspect feishu-common/index.js (fetchWithAuth) and any referenced scripts (skills/feishu-doc/create.js, append_simple.js) to confirm how auth tokens are used and where data is sent. - Expect the wrapper to read/write workspace files (memory/, logs/, assets/), to read feishu_token.json and other token files, and to POST data to https://open.feishu.cn — if those tokens exist they could be used to post internal logs. - Note it spawns detached daemons and writes PID/heartbeat files; run it in an isolated/container environment if you want to limit persistent effects. - Audit uses of execSync/child_process.spawn where command strings include unescaped user or env data (some commands are built using template concatenation) — these are potential shell-injection vectors. - If you only need non-persistent reporting, consider running scripts manually rather than enabling the daemon. If you want a lower-risk install, ask the publisher to (1) declare required env vars & permissions in metadata, (2) document precisely what files it reads/writes and what network endpoints it calls, and (3) avoid shell command construction with unescaped user-provided content. If you cannot audit the referenced helper modules or scripts, treat this as higher risk and run it in a sandboxed environment.