This Feishu messaging skill mostly matches its purpose, but it has real command-injection and sensitive-content leakage risks that users should review before installing.
Install only after hardening or running it in an isolated environment. Replace execSync command strings with spawn/execFile argument arrays or direct function calls, validate target/title/color/event fields, remove or clearly disclose smart path inference for --text, and reapply secret scanning before every outbound fallback. Use a least-privilege Feishu app token and avoid sending secrets, logs, code, or regulated data through this skill unless you intend that content to reach Feishu/Lark.