dingtalk-feishu-cn
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only guide for DingTalk/Feishu integrations, with expected but noteworthy use of webhooks, API credentials, package installs, and missing example helper scripts.
Before installing or using this skill, confirm which DingTalk/Feishu bot or app credentials it will use, test in a non-sensitive channel, avoid putting secrets in messages, and review any third-party packages or local scripts before running them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could post unintended messages to company chat channels or bots.
The skill documents direct webhook calls that send messages to enterprise chat systems. This is expected for the stated integration purpose, but message sending should remain user-directed to avoid accidental or spammy notifications.
curl -X POST "https://oapi.dingtalk.com/robot/send?access_token=YOUR_TOKEN"
Use dedicated test channels first, confirm recipients before sending, and avoid autonomous bulk notification behavior unless explicitly configured.
Leaked or over-scoped app secrets/webhook URLs could allow others to send messages or access workspace APIs.
The guide expects DingTalk/Feishu application secrets or webhook tokens, while the registry metadata lists no required credentials. This is purpose-aligned, but credentials should be scoped and protected.
client = SecretClient(APP_KEY, APP_SECRET)
Use least-privilege bot credentials, keep webhook URLs and app secrets out of chat/logs, and rotate them if exposed.
A user or agent could install unexpected package versions or run a local script whose contents were not reviewed as part of this skill.
The instruction-only artifact references third-party package installs and local helper scripts, but the package versions are not pinned and the referenced scripts are not included in the manifest. These are setup examples rather than hidden execution, but users should verify what they install or run.
pip install dingtalk-sdk ... pip install lark-oapi ... ./scripts/dingtalk-notify.sh
Pin and review dependencies before installation, and only run helper scripts from a trusted, inspected source.
Operational or business details could be posted into chat spaces where more people can see them.
The documented use cases include sending operational and business alert content through DingTalk/Feishu webhooks. This is expected for the skill, but such messages may contain sensitive business information.
服务器告警 - 业务异常 - 定时报告
Limit message content to what the target channel should see, avoid secrets in alerts, and use appropriate workspace/channel permissions.