Feishu Agent Relay - Multi-Bot Collaboration
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is transparent and not malicious, but its team mode relies on unverified self-declared user IDs to route proactive Feishu bot messages, which needs careful review before use.
This skill appears purpose-built for Feishu multi-bot collaboration and does not show malicious code. It is safest for personal single-user use. Before using it with a team, add real identity verification, restrict Feishu app visibility and permissions, protect app secrets, audit mapping changes, and avoid sending sensitive content through relays until those controls are in place.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In team mode, a person could claim another user's ID and cause specialist bot replies or future routed messages to go to the wrong identity.
The multi-user flow uses self-declared user IDs as the basis for cross-bot identity routing, and the artifact itself states that there is no verification.
No identity verification - System trusts whatever user types ... Identity spoofing possible ... NOT production-ready
Use single-user mode for personal use only, or add SSO/LDAP/admin verification, duplicate-ID protection, and registration audit logs before team or production use.
A bad or spoofed mapping can persist across sessions and bots, causing ongoing misdelivery of Feishu messages until manually corrected.
The helper unconditionally creates or updates persistent user-to-open_id mappings, which are then reused by all bots for routing.
if (!mapping.users[userid]) { mapping.users[userid] = { ... }; } ... mapping.users[userid].botOpenIds[agentId] = openId;Validate identities before writes, prevent unapproved overwrites, add audit history, restrict file permissions, and use atomic/locked updates for the shared mapping file.
If bot credentials or permissions are mishandled, someone could read or send Feishu messages through the configured bots.
The skill requires Feishu bot credentials and message/user-info permissions, which are expected for the stated integration but sensitive.
App Secret: xxxxxxxxxxxxxxxxxx ← Keep secure! ... im:message | Send and read messages ... contact:user:readonly | Get user info ... im:chat | Access chat information
Store secrets in a secret manager, rotate them regularly, request the minimum necessary Feishu scopes, and limit bot visibility to intended users.
User questions and identifiers may be shared with multiple specialist bots/agents as part of normal operation.
The core workflow passes user IDs and task content between multiple agents and Feishu bots.
User → Coordinator Bot → sessions_send → Specialist Bot → User ... Automatic task relay between Bots ... Proactive messaging
Keep relay payloads minimal, label untrusted user content clearly, restrict which agents can receive relays, and log cross-agent transfers.
If configured too broadly, bots could relay tasks or send proactive messages beyond the user's intended workflow.
The examples show the agent invoking relay and messaging tools to contact other agents and send Feishu DMs.
await sessions_send({ agentId: 'product-expert' ... }); ... await message({ action: 'send', channel: 'feishu', target: userOpenId, message: response });Require explicit user-triggered relays for sensitive tasks, restrict allowed agent IDs, and add operator review for high-impact or external-facing messages.
A testing tunnel can expose a local webhook endpoint to the internet, and a global package install depends on npm package provenance.
The guide includes an optional unpinned global package install and public tunnel setup for webhook testing; it is disclosed and not automatically executed.
npm install -g ngrok ... Request URL: https://xxxx.ngrok.io/webhook/feishu/{bot-name}Use ngrok only for testing, prefer pinned/trusted tooling, protect webhook verification tokens, and use a hardened production endpoint for real deployments.