飞书文档搜索助手
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a Feishu document-search skill, but it embeds a Feishu app secret and can automatically forward some user questions to a specific Feishu bot/user, so it needs review before use.
Do not install this as-is in a real workspace. First rotate the exposed Feishu App Secret, replace hardcoded credentials with scoped user-managed authentication, verify that the configured Feishu root space is intended for all users of the skill, and disable or require confirmation for automatic forwarding to the named Feishu bot/user.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill artifact may be able to reuse the embedded Feishu app credential according to that app’s permissions, potentially exposing tenant documents or account capabilities.
The skill embeds a Feishu application secret and gives a tenant_access_token retrieval command, while the metadata declares no primary credential or required environment variables.
“飞书 API 凭证” ... “App ID: `cli_a932...`” ... “App Secret: `w3RGN8...SKMxL8`” ... “获取 tenant_access_token”
Revoke and rotate the exposed Feishu secret, remove credentials from SKILL.md, require user- or tenant-owned OAuth/env-based credentials, and document the exact scopes needed.
The skill may read a large portion of the configured Feishu knowledge space, including structured tables and attachments, when answering questions.
Recursive document traversal and reading multiple Feishu content types is purpose-aligned for a search assistant, but it is broad access that users should understand before enabling.
“递归遍历 `root_node_token` 下的所有子节点” and supported types include “docx, sheet, bitable, board” plus “PDF附件 ... download”.
Confirm the configured root is intentionally scoped, add exclusions or depth limits where appropriate, and require clear user approval before broad searches or attachment downloads.
A user’s question, which may include sensitive business context, could be sent to another Feishu account or bot automatically.
The shipped configuration enables automatic forwarding of certain user questions to a named Feishu bot/user, but the data boundary and per-query consent are not clearly controlled.
“tech_collaboration”: { “enabled”: true, “tech_bot_name”: “杨毛毛2号”, “tech_bot_id”: “ou_adba...”, “forward_message”: “这个问题属于少儿技术范畴,让我询问技术空间负责人杨毛毛2号。” }Disable automatic forwarding by default, ask the user before each transfer, and clearly document who receives the question and what data is shared.