v1.0.0

feishu-doc-publisher

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:41 PM.

Analysis

This skill appears to do what it claims—publish a chosen Markdown file to Feishu—but it needs Feishu credentials and will upload the selected file’s contents to Feishu.

GuidanceBefore installing, confirm you trust the skill source, use a dedicated Feishu app secret with minimal document permissions, and only publish Markdown files that are safe to upload to Feishu. Check global and project .env files so the document is created under the intended Feishu credentials.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/publish.js

const mdContent = fs.readFileSync(filePath, 'utf-8');

The publisher reads the user-supplied local file before sending Markdown content to Feishu APIs. This is expected for the skill, but the file path determines what data is uploaded.

User impactIf the wrong file path is provided, local content could be published to Feishu unintentionally.

RecommendationUse this skill only with Markdown files you intend to publish, and verify the path before invoking it.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

install.sh

(cd "$SCRIPT_DIR" && npm install --production --silent 2>&1)

The installer fetches npm dependencies. The package-lock pins dotenv with integrity, which reduces but does not eliminate supply-chain exposure.

User impactInstalling the skill depends on npm package resolution and the local npm environment.

RecommendationReview package-lock.json before installation and prefer reproducible installs such as npm ci when possible.

Unexpected Code Execution

SeverityLowConfidenceMediumStatusNote

install.sh

TOKEN_RESULT=$(node -e "... JSON.stringify({ app_id: '$APP_ID', app_secret: '$APP_SECRET' }) ...")

The installer runs inline Node.js code during setup to test Feishu API connectivity and embeds credential values into that code. This is install-time code execution, though it is disclosed and related to validation.

User impactThe install process executes local Node.js commands and transmits the provided credentials to Feishu for validation.

RecommendationRun the installer only from a trusted copy of the skill, and avoid passing secrets through shell history when possible.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

install.sh

ln -s "$SCRIPT_DIR" "$INSTALL_TARGET"

The installer persistently registers the skill by symlinking it into the OpenClaw skills directory. This is disclosed installation behavior, not hidden background activity.

User impactAfter installation, the skill remains available to OpenClaw until the symlink or skill directory is removed.

RecommendationInstall it only if you want ongoing access to this publisher skill, and remove the symlink if you no longer need it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

FEISHU_APP_ID, FEISHU_APP_SECRET ... docx:document — 读写新版文档

The skill requires a Feishu app secret and document read/write permission. This authority is coherent with publishing documents, but it is sensitive account-level access.

User impactThe configured Feishu app can create and write Feishu documents according to the permissions granted in Feishu.

RecommendationUse a dedicated Feishu app with only the document permissions needed for publishing, and protect the app secret.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

scripts/publish.js

const localEnvPath = path.join(process.cwd(), '.env'); if (fs.existsSync(localEnvPath)) { dotenv.config({ path: localEnvPath }); }

The script loads persistent project-local .env configuration. This is common and disclosed, but a project .env can affect which Feishu credentials are used.

User impactPublishing from a directory with an unexpected .env file could use different Feishu credentials than intended.

RecommendationCheck the active .env files before publishing sensitive documents, especially in unfamiliar project directories.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/publish.js

fetch(`${BASE_URL}/docx/v1/documents/blocks/convert`, ... body: JSON.stringify({ content: markdownContent, content_type: 'markdown' }))

The skill sends document content to the Feishu provider API. The provider endpoint is explicit and purpose-aligned, but the content leaves the local machine.

User impactMarkdown content is transmitted to Feishu/Lark services as part of document creation.

RecommendationDo not publish files containing secrets or private data unless that data is allowed in your Feishu workspace.