feishu-minutes

The skill mostly does what it says (download Feishu Minutes data) but the code requires Feishu app credentials and reads/writes files outside the skill folder while the SKILL.md and registry metadata do not declare those requirements — this mismatch is concerning.

This skill looks functionally correct for downloading Feishu Minutes data, but the documentation fails to tell you it needs Feishu app credentials. Before installing or running it: (1) Verify the skill source/author; (2) supply FEISHU_APP_ID and FEISHU_APP_SECRET via environment variables or a config.json if you trust it; the code will also try to load any .env in the current or parent directories — avoid running it where other secrets live; (3) be aware it will persist a tenant token to memory/feishu_token.json (shared across skills) — if you don't want token reuse, remove or sandbox that file; (4) consider creating a dedicated Feishu app with minimal permissions for this use; (5) ask the publisher to update SKILL.md to declare required env vars and the token cache location or modify the code to only read declared env vars and write caches inside the skill-specific directory. If you cannot verify the author, run the skill in an isolated environment or inspect/modify lib/auth.js to remove ancestor .env loading and to control the cache path before using.