Feishu Automation
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned for Feishu automation, but it can perform broad workspace writes, backups, scheduling, and optional external notifications, so users should scope and review its use carefully.
This does not show artifact-backed malicious behavior. Before installing, verify the source, review any scripts you plan to run, grant only the Feishu scopes needed for the task, test with dry-run or a small folder/table first, and be cautious with schedules, backups, and external notification channels.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or token could create, update, move, or notify across many Feishu workspace items.
The skill is designed to automate bulk operations across multiple Feishu resources, which is appropriate for the purpose but can have broad impact if pointed at the wrong folder, table, or wiki.
perform batch operations across documents, wikis, bitables, and cloud storage
Use dry-run modes first, limit tokens/folders to the intended scope, and require explicit confirmation before bulk writes, moves, notifications, or migrations.
If granted broad scopes, the automation may access or modify documents, wikis, tables, and drive files within the app's permissions.
The skill needs broad Feishu app authority for its stated automation workflows. This is disclosed and purpose-aligned, but it gives the agent access to important workspace data and mutation capabilities.
Feishu app permissions enabled for: `docx`, `wiki`, `bitable`, `drive`
Use least-privilege Feishu app scopes, prefer read-only scopes where possible, and use a dedicated service account or app with audited access.
Scheduled jobs could keep generating, posting, or notifying about reports until the schedule is disabled.
The documentation shows how a user can configure recurring automation. This is not hidden persistence, but once enabled it can continue creating or updating reports on a schedule.
Set up a cron job to run weekly:
Start scheduled workflows disabled or in dry-run mode, monitor their first runs, and document how to stop or roll back each schedule.
Reports, alerts, or workflow details may be sent to external systems if those integrations are configured.
The sample configuration allows optional external notification channels such as email, Slack, and webhooks. No automatic sending is shown in the provided scripts, but enabling these channels could move report or alert data outside Feishu.
notification_channel: "feishu_chat" # or "email", "slack"
Only configure approved notification destinations, avoid placing secrets in config files, and review what data each notification sends.
Users cannot easily verify the publisher, source repository, or update history before granting Feishu access.
The skill's provenance is not verifiable from the supplied metadata. The visible artifacts do not show malicious install behavior, but users have less context for trust and maintenance.
Source: unknown; Homepage: none
Inspect the scripts before use, install only from trusted registries or owners, and avoid granting broad Feishu permissions until provenance is acceptable.