Feishu Agent
PassAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Feishu calendar/todo/contact CLI integration, with the main cautions being external package execution and sensitive Feishu OAuth permissions/tokens.
Before installing, make sure you trust the @teamclaw/feishu-agent package, because its code was not included here. Grant only the Feishu permissions you need, keep ~/.feishu-agent/config.json private, and require confirmation before the assistant creates or deletes events or changes todos.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You would be running package code that was not available for this review, including code that may handle your Feishu credentials.
The skill directs users to execute or globally install an external package, while this submission contains only documentation and no implementation code for that package.
bunx @teamclaw/feishu-agent <command> ... bun add -g @teamclaw/feishu-agent
Install only if you trust the package source; prefer a pinned version and review the package provenance or source before granting Feishu access.
Anyone or any process that can read this config file may be able to use the saved Feishu credentials until they expire or are revoked.
The documented setup stores Feishu app secrets and OAuth tokens locally so the CLI can act on the user's Feishu account.
Global config is stored in `~/.feishu-agent/config.json`: ... "appSecret", "userAccessToken", "refreshToken"
Protect the config file, use least-privilege Feishu app permissions, and revoke or rotate tokens if the tool is no longer needed.
If an assistant runs these commands without careful review, it could create, delete, or mark items complete in the user's workspace.
The CLI exposes commands that can change calendar and todo data in the user's Feishu account.
`feishu-agent calendar create ...` | Create a new event ... `feishu-agent calendar delete --event-id=evt123` | Delete an event ... `feishu-agent todo done --record-id=rec123` | Mark todo as done
Require user confirmation before create, delete, or completion actions, and verify event IDs, attendees, times, and todo records before execution.