feishu-sheet-tabs
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-sheet-tabs Version: 0.1.0 The skill bundle uses browser automation to inject JavaScript and call internal, undocumented Feishu Sheet methods (e.g., `window.spread.addSheet`) to bypass API limitations. It includes an introspection script (`protoMethods`) in `SKILL.md` to discover hidden application logic and encourages using the user's active Chrome session via Browser Relay. While these capabilities are aligned with the stated goal of managing spreadsheet tabs, they represent high-risk behaviors in an authenticated environment without formal API safeguards.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong spreadsheet or tab list is used, the agent could rename or create tabs in the wrong Feishu document.
The skill intentionally uses browser automation as a workaround to create or rename tabs in a Feishu spreadsheet. This is purpose-aligned, but it is still a tool-driven mutation of a cloud document and should be scoped to the user’s requested sheet.
When the user explicitly wants tabs/pages inside one spreadsheet, switch to browser automation.
Before running it, confirm the spreadsheet URL/token, current sheet names, and exact tabs to create or rename. Prefer an official Feishu API method if one becomes available.
The agent can perform actions in Feishu as the logged-in user for the attached tab/session.
The skill relies on the user’s authenticated Feishu browser session rather than a narrowly scoped declared credential. This is disclosed and relevant to the task, but it means the agent acts with the user’s Feishu permissions.
Prefer using the user's real Chrome tab via Browser Relay when available. Why: stable login state - real user session
Attach only the intended Feishu tab/account, verify the workspace and document, and detach or close the session when the task is complete.
Internal page methods may change behavior, fail, or affect the open spreadsheet if used against the wrong page.
The workflow executes JavaScript inside the Feishu page context to call internal runtime objects. This is the documented workaround and not hidden, but it is less controlled than a stable official API.
Use page evaluation to inspect current sheets before mutation ... await spread.renameSheet(first.id, '总览') ... await spread.addSheet(name)
Use this only on the intended Feishu spreadsheet page, inspect the current sheet list first, and keep the JavaScript limited to the requested create/rename operations.
A real document identifier could be exposed or mistakenly treated as the sheet to modify.
The documentation includes a concrete prior spreadsheet URL/token as an example. It is not presented as the default target, but a user or agent should not reuse it accidentally.
For spreadsheet: - `https://bytedance.larkoffice.com/sheets/Bf6qsMV9fhqrD6tPE6TcQhF7nEe`
Use only the spreadsheet URL/token supplied by the current user request, and replace real example document IDs with placeholders in published skill documentation.