飞书云盘助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Feishu Drive manager, but it uses powerful Feishu app credentials and can change, delete, or share drive files.
Install this only if you need Feishu Drive automation. Use a dedicated Feishu app with least-privilege scopes, protect FEISHU_APP_SECRET, set a default root folder token, confirm deletes/moves/shares, and choose narrow folder permissions unless full access is necessary.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without a root folder or explicit target token, actions could affect a broader Feishu Drive area than intended.
The skill documents that operations fall back to the drive root when no folder token is supplied, so users need to intentionally scope where file operations occur.
**优先级规则**:`传入的 folder_token` > `设置的 root_folder_token` > `空字符串(根目录)`
Set FEISHU_ROOT_FOLDER_TOKEN or pass explicit folder tokens, and confirm destructive or bulk operations before running them.
Anyone using these credentials through the skill can access and modify Feishu Drive content within the app's granted permissions.
The skill requires Feishu application credentials and drive/contact permissions, which are appropriate for the purpose but grant delegated access to cloud files and user identifiers.
必需环境变量:`FEISHU_APP_ID` 和 `FEISHU_APP_SECRET` ... `drive:file:read` ... `drive:file:write` ... `contact:user.id:readonly`
Use a dedicated Feishu app, grant only the minimum required scopes, keep FEISHU_APP_SECRET private, and test with non-production data first.
A mistaken recipient or default permission choice could give someone full access to a shared Feishu folder.
The permission helper defaults to full_access, meaning a caller who does not choose a narrower permission can grant full folder management rights.
def add_permission(self, folder_token: str, open_id: str, perm: str = "full_access") ... "perm": perm
Use `view` or `edit` unless full management access is truly required, and verify recipient emails/open IDs before granting permissions.
Users have less external context for verifying the publisher history or comparing the packaged code to an upstream project.
The registry metadata does not identify an upstream repository or homepage, so provenance is limited even though source files are included.
Source: unknown; Homepage: none
Review the included Python source before use and install dependencies from trusted package indexes.