飞书开放平台应用自动化配置
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about automating Feishu setup, but it would use a logged-in admin browser session to grant broad permissions and publish persistent app changes.
Install or use this only if you intentionally want an agent to configure a Feishu enterprise app with admin-level effects. Before running it, review and minimize the permission list, avoid unnecessary HR/file scopes, confirm each publish action manually, run first in a test app or tenant, and store the App Secret securely.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with an admin session, the agent could grant an OpenClaw/Feishu app broad access to enterprise messages, contacts, and files.
The skill uses an existing authenticated Feishu session, exposes an app secret, and recommends broad tenant/user permissions, including message, contact, file, and HR-file access, without clearly justifying or bounding each scope.
“已有飞书 session”; “App Secret — 先点眼睛图标显示”; recommended scopes include “im:message:readonly”, “contact:contact.base:readonly”, “aily:file:write”, “corehr:file:download”
Review every requested scope before importing it, remove anything not required, restrict Feishu data ranges, and protect the App Secret as a production credential.
A mistaken or over-broad run could publish enterprise app changes immediately and make permissions or names live for users.
The browser automation workflow proceeds through high-impact Feishu admin changes and final online publication, including automated confirmation clicks, without an explicit user approval gate in the instructions.
“创建应用 → 添加机器人能力 → 权限导入 → 事件订阅 → 改名(可选)→ 版本发布” and `agent-browser find role button click --name "申请线上发布"` followed by JavaScript clicking “确定”
Require a manual confirmation before permission import and online publication, test in a non-production app first, and verify the browser snapshot before each final click.
The reviewed artifact contains no executable code, but the real automation will be performed by another installed tool.
This instruction-only skill relies on an external browser automation skill that is not included in the scanned artifact set, so the safety of actual execution also depends on that separate component.
“前置条件 - 已安装 `agent-browser` 技能”
Use a trusted, reviewed version of agent-browser and understand its browser/session access before running this skill.
Feishu message events may flow continuously to the OpenClaw Gateway after setup.
The skill configures Feishu event delivery through an active OpenClaw Gateway WebSocket, which is purpose-aligned but creates an ongoing channel for message events.
“OpenClaw Gateway 正在运行(事件订阅需要活跃的 WebSocket 连接)” and event setup for “im.message.receive_v1”
Confirm the Gateway endpoint, account mapping, and event subscriptions are intended, and disable subscriptions if the app should stop receiving message events.