Create a Deep Research Feishu Doc
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s Feishu research-document workflow is coherent, but it should be reviewed because it uses Feishu app secrets and tenant access tokens through raw shell API calls and tells the agent to display those tokens.
Review before installing. If you proceed, use a dedicated least-privilege Feishu app and a test or scoped folder, do not allow app secrets or tenant_access_token values to be printed, and consider adding a manual review step before the generated report is uploaded.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the tenant access token appears in chat transcripts, logs, or shared outputs, someone with access to those records may be able to perform Feishu actions within the app’s granted permissions.
The skill reads Feishu application credentials, exchanges them for a tenant access token, and explicitly requires that bearer token to be reported.
需要从 OpenClaw 配置中读取... appId / appSecret ... 成功获取 token 后必须报告:`tenant_access_token: t-xxxxx`
Do not print app secrets or tenant access tokens. Use a least-privilege dedicated Feishu app, declare the credential requirement clearly, redact tokens in outputs, and rotate credentials if any token is exposed.
Raw command/API execution with credentials increases the chance that secrets, tokens, or wrong folder/document identifiers are exposed or misused.
The instructions force raw shell and HTTP API usage, bypassing safer Feishu wrapper tools that could enforce scoping, redaction, and guardrails.
严格使用飞书 REST API 直接调用,禁止使用任何封装工具... 必须使用:`exec` 工具 + `curl` 命令直接调用飞书 API
Prefer an official scoped connector or wrapper with secret redaction. If raw curl is necessary, require explicit approval for credential use and avoid showing full tokens or sensitive request bodies.
Incorrect, sensitive, or unreviewed research content could become a persistent Feishu document in the selected cloud folder.
After a single startup confirmation, the generated research is automatically uploaded and imported into Feishu cloud storage without a separate content-review step.
确认后**全自动执行**,不再交互。 ... Phase 2: 文件上传(全自动,必须产生中间产物)
Use a non-sensitive target folder and ask for a preview/approval step before upload when the topic or sources may be confidential or high-stakes.