ClawHub

Lark Calendar & Tasks

v1.0.0

Create, update, and delete calendar events and tasks in Lark (Feishu). Includes employee directory for automatic name-to-user_id resolution.

3· 6.2k·60 current·61 all-time
by@boyangwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement calendar and task CRUD and an employee directory (including dynamic contact lookup) which is coherent with the skill name/description. However the registry metadata lists no required environment variables or binaries despite the SKILL.md and code clearly requiring FEISHU_APP_ID and FEISHU_APP_SECRET and Node.js to run. This metadata omission is an inconsistency that could mislead users about what secrets/tools are needed.
Instruction Scope
Runtime instructions and scripts only call the Lark (Feishu) APIs and resolve employee names; nothing in SKILL.md or the scripts instructs reading unrelated system files. Business rules (e.g., 'Boyang is always added' to attendees) are documented. One implementation detail to note: the API wrapper loads secrets from a .secrets.env file via dotenv at a relative path (join(__dirname, '../../../../.secrets.env')). That assumes a particular installation layout and will read a dotfile outside the lib directory — verify that the file you provide is the intended credential file and not a broader system file.
!
Install Mechanism
This is flagged as instruction-only (no install spec) but the package includes package.json/package-lock.json and code that depends on Node and the npm package 'dotenv'. The registry metadata did not declare Node.js as a required binary and provided no install instructions. That mismatch means users may run the scripts without installing dependencies or may not realize they must run npm install or have Node available. No external download URLs are used (only an npm dependency), which is lower risk, but the absent install guidance is a deployment/operational risk.
!
Credentials
The skill requires FEISHU_APP_ID and FEISHU_APP_SECRET (declared in SKILL.md and used by lib/lark-api.mjs) — these are appropriate and necessary for Lark API access. However the registry metadata claimed no required env vars; that inconsistency is significant because the skill will not work without those secrets and will attempt to read them from a .secrets.env file. Verify you only supply an app credential with minimal scopes needed (calendar, contact readonly, task as applicable).
Persistence & Privilege
The skill does not request permanent/always-included privileges (always: false). It maintains only in-memory caches and does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) and not by itself a red flag here.
What to consider before installing
What to check before installing or running this skill: - Secrets and binaries: SKILL.md and the code require FEISHU_APP_ID and FEISHU_APP_SECRET and Node.js, but the registry metadata does not list them. Do not assume no secrets are needed — you must provide an app id/secret in .secrets.env and have Node installed. Ensure the FEISHU app credentials you provide have the minimum scopes needed (calendar, task, contact read) and are for the correct tenant. - .secrets.env path: The code loads dotenv from a relative path (../../../../.secrets.env). Confirm where that resolves in your environment and that it points only to the credential file you intend to expose — avoid pointing it to a broader secrets file or repository root that contains unrelated secrets. - Unknown origin: The skill has no homepage and source is unknown. That increases the risk surface. If you plan to use it in production or with real credentials, review the source locally, run it in an isolated environment, and consider creating new FEISHU app credentials you can revoke. - Automatic attendee rule: The skill will always add the user_id 'dgg163e1' (Boyang) to every calendar event. This is documented but can be surprising. If you do not want that behavior, modify the code before use. - Dependency/install: Run npm install to satisfy 'dotenv' dependency before running scripts, and verify Node version compatibility. Consider running the scripts in a disposable container or restricted environment first. - Recommended actions: review the code locally, confirm the FEISHU app permissions, adjust the .secrets.env path if necessary, and test with non-production credentials. If you need stronger assurance, prefer an official integration or a skill with verifiable source/homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ex17m4ehy3ksm62y88bfkph80d4h1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments