v1.0.0

OpenClaw飞书消息读取

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:32 AM.

Analysis

This instruction-only skill is purpose-aligned, but it can read/search Feishu messages across all user-authorized chats and download message resources using the user's identity, so it deserves careful review before installation.

GuidanceReview this skill carefully before installing. It appears to be a legitimate Feishu IM reading guide, but it can expose private or business chat history and message attachments through the user's own Feishu permissions. Use narrow chat IDs, keywords, and time ranges, and ask for confirmation before broad cross-chat searches or downloading files.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`feishu_im_user_search_messages` 支持跨所有会话搜索消息

The documented search tool can search across all conversations, and the artifact does not clearly require explicit confirmation or narrow scoping before broad searches.

User impactA broad query could expose messages from many Feishu chats, not just the specific conversation the user had in mind.

RecommendationRequire the agent to confirm broad searches and limit requests by chat, sender, keyword, and time range whenever possible.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

获取历史消息并需要理解上下文（默认） | 对发现的 thread_id 调用 `feishu_im_user_get_thread_messages` 获取最新 10 条回复

The skill recommends proactively expanding threads by default. This can be useful context, but it may retrieve additional messages beyond the initially requested message list.

User impactThe agent may read thread replies automatically when summarizing or inspecting chat history.

RecommendationAsk the agent to avoid expanding threads unless needed, or to confirm before reading additional thread content.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

消息内容中可能出现以下资源标记，用 `feishu_im_user_fetch_resource` 下载

The skill documents downloading images, files, audio, or video referenced in messages. This is purpose-aligned, but downloaded resources may contain sensitive content.

User impactThe agent may retrieve files or media attached to Feishu messages when they appear relevant.

RecommendationConfirm before downloading sensitive files or media, especially from broad search results or private chats.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

该 Skill 中的所有消息读取工具均以用户身份调用，只能读取用户有权限的会话

The skill uses the user's Feishu identity to access conversations. This is purpose-aligned, but it is high-impact delegated access to private or business messages.

User impactIf installed and invoked, the agent may read Feishu conversations that the user can access, including group and one-to-one chats.

RecommendationInstall only if you are comfortable granting Feishu message-reading access. Prefer using it with specific chat IDs, time ranges, and clear user requests.