feishu-user
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Feishu document helper, but it uses Feishu user tokens that can access and modify cloud documents.
Install only if you want an agent to access Feishu documents using your user identity. Use a least-privilege Feishu app, protect `~/.config/claw-feishu-user/config.json`, avoid sharing app secrets or tokens, and confirm before allowing updates or deletions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that local config file may be able to reuse the saved Feishu token until it expires or is revoked.
The helper stores Feishu access and refresh tokens in a local config file, creating persistent account access material for the skill.
CONFIG_FILE = os.path.expanduser("~/.config/claw-feishu-user/config.json") ... self.config["access_token"] = token ... self.config["refresh_token"] = refresh_token ... self._save_config()Use least-privilege Feishu app scopes, protect the config file, revoke tokens when no longer needed, and avoid using this on shared or untrusted machines.
If invoked on the wrong document or block token, the agent could change or remove Feishu document content.
The client can update and delete Feishu document blocks through authenticated API calls.
resp = requests.put(url, json=payload, headers=self.headers) ... resp = requests.delete(url, headers=self.headers)
Give the agent only the specific document and block tokens needed, and require user confirmation before update or delete operations.
The Feishu token may allow document modification and document-search access within the user's authorized Feishu account.
The OAuth setup asks for document operation and search-related scopes. These are relevant to Feishu document access, but users should notice the breadth of the grant.
Enable these permissions: - `docx:document` - `drive:drive.search:readonly` - `search:docs:read`
Grant only the scopes you actually need, and review whether the search scopes are necessary for your workflow.
A future or compromised package version could affect the runtime environment if installed without verification.
The setup instructions install an unpinned third-party Python package. `requests` is a common dependency and is purpose-aligned, but version pinning is not provided.
pip install requests
Install dependencies from trusted package indexes, preferably in a virtual environment, and pin or verify dependency versions for sensitive use.