Feishu Post

The skill's code mostly matches its stated purpose (sending Feishu rich-text posts) but it omits declaring required credentials and relies on a relative 'feishu-common' dependency; there are a few implementation details (debug script, arbitrary file reads, missing install steps) that merit caution before installing or running.

This skill appears to implement Feishu rich-text posts as described, but review these before installing or running: 1) Authentication: the skill expects a local feishu-common module to supply Feishu credentials (loaded via a relative path). Installing or running it with that module will grant this code access to your Feishu API tokens — confirm what feishu-common does and where credentials are stored. 2) Missing disclosures: the skill metadata does not list required env vars (credentials) or an install step (npm install). Expect to run npm install and to provide Feishu credentials elsewhere. 3) Debug and file access: debug_msg.js contains API calls that fetch message data (would expose message contents if run with credentials). The CLI can read any file path passed with --text-file, and it writes temporary files to /tmp when using --text; avoid passing sensitive file paths. 4) Practical advice: inspect the feishu-common code before use, avoid running debug_msg.js on a live credentialed environment, run the tool in an isolated environment, and only grant the minimum Feishu permissions needed. If you want a safer assessment, provide the feishu-common module (or its manifest) so we can review how credentials are loaded/used and whether any unexpected endpoints or persistence exist.