Feishu CRM Lite
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may enter customer names, phone numbers, emails, and follow-up notes believing they are synced to Feishu, when the reviewed code stores them locally instead.
This tells users their CRM data will be stored in Feishu Bitable, but the provided implementation uses local JSON files and contains no Feishu API integration. That mismatch can mislead users about where customer data is kept.
客户数据存储在飞书多维表格 (Bitable) 中,自动创建以下表格
Clearly state whether data is local or in Feishu, remove unsupported Feishu-sync claims until implemented, and document any local storage behavior before users enter customer data.
Sensitive business contact details and communication notes may remain in local files, be backed up or shared unintentionally, and not be available in Feishu as expected.
The code persists CRM data locally, including customer records and follow-up history. The storage path, retention, cleanup, and privacy implications are not disclosed in the user-facing skill text.
this.dataPath = dataPath || path.join(process.cwd(), 'data', 'feishu-crm'); this.customersFile = path.join(this.dataPath, 'customers.json'); this.followUpsFile = path.join(this.dataPath, 'followups.json');
Document the exact local data path, provide retention and deletion controls, and consider configurable storage or encryption for customer/contact data.
If Feishu integration is added or invoked through existing account permissions, the skill could create or modify workspace CRM tables without users understanding the exact access scope.
The skill claims it will use existing Feishu API authority, but the registry metadata declares no credential, environment variable, or scope requirements, and the artifacts do not explain what Feishu permissions would be used.
本技能使用已有的飞书 API 权限,无需额外配置。
Declare the Feishu credential model and required scopes, require explicit user confirmation before creating/updating/deleting Feishu records, and document how permissions are limited.
Accidental or overly broad deletion could remove local CRM customer records.
The code can delete CRM records. This is expected for a CRM skill, but it is a business-impacting mutation and the artifact does not show a confirmation or recovery workflow.
deleteCustomer(id) {
const customers = this.getCustomers();
const filtered = customers.filter(c => c.id !== id);
...
this.saveCustomers(filtered);
return true;
}Ask for explicit confirmation before deleting records and consider adding backup, undo, or soft-delete behavior.