feishu-memory-recall

The skill's code largely matches its stated Feishu memory/search purpose, but the package metadata omits sensitive config/env access (it reads the agent sessions file and requires FEISHU credentials), so the requested/declared surface is inconsistent and deserves caution.

This skill mostly does what it says (search/recall/digest across Feishu groups), but there are important inconsistencies and privacy implications you should consider before installing: - Metadata omission: The package metadata claims no required env/config paths, but the code requires FEISHU_APP_ID and FEISHU_APP_SECRET and reads ~/.openclaw/agents/main/sessions/sessions.json. Those should have been declared. Treat that as a red flag for sloppy or incomplete packaging. - Sensitive file access: sync-groups reads the OpenClaw sessions.json file to discover groups. That file may contain session details for other agents; only install if you trust the skill author and you are comfortable with it reading your agent session state. - Credential scope: The skill exchanges FEISHU_APP_ID/SECRET for a tenant token and will fetch messages across tracked groups. Prefer giving an app with the minimal necessary scopes (read-only message scopes) and not a broadly privileged secret. Be cautious about using highly privileged credentials. - Persistent data: The skill writes cached tokens and logs under memory/ and RECENT_EVENTS.md in the workspace. If that data is sensitive, plan for where those files live and who can read them. - Suggested actions before use: review the included index.js and recall.js (they are readable), confirm FEISHU app permissions, run in an isolated environment or container first, and request the publisher update the registry metadata to list required env vars and the sessions.json config path. If you cannot verify the author or code, avoid providing FEISHU_APP_SECRET or running sync-groups on a system with other agents' sessions present.