feishu-message

The code generally matches a Feishu messaging tool, but the skill's metadata and SKILL.md understate what it actually requires and what it will access (it reads a ../../.env, needs FEISHU_APP_ID/FEISHU_APP_SECRET, caches tokens to disk, and calls sibling scripts), so the package is internally inconsistent and requires caution.

This package contains working scripts for Feishu (Lark) messaging, but the metadata omits important details. Before installing or running it: 1) Do not run it in a production environment with real org credentials yet — the code expects FEISHU_APP_ID and FEISHU_APP_SECRET. 2) Inspect the ../../.env file it will load (relative to the skill) — it will load full dotenv contents two directories up, which may include unrelated secrets; avoid placing your real .env there. 3) Note it writes a token cache to '../../memory/feishu_token.json' (it will create or overwrite that path). 4) The index spawns ../feishu-post/send.js — verify that sibling skill/script is trustworthy or present; otherwise the send subcommand may fail or execute unexpected code. 5) Because there is no install spec, you will likely need to run npm install yourself; review package-lock for third-party deps. 6) If you plan to use this, prefer running it in an isolated environment (throwaway account or container) and explicitly set only the minimal Feishu app credentials the tool needs. 7) Ask the author to update registry metadata to declare required env vars and config paths and to remove implicit ../../.env loading or make the config path configurable — that will make the skill's behavior coherent and safer.