feishu-doc-reviewer
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is largely aligned with Feishu document review, but it exposes high-impact document editing and has a CLI argument-injection flaw that could let crafted inputs run local Python code.
Install only if you trust the source and can scope the Feishu app to the intended documents. Avoid the run-tool.sh helper until argument handling is fixed, and require the agent to show a diff and ask before modifying, deleting, or resolving document comments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental crafted token/text value could cause local code execution if the helper script is used.
Shell arguments are inserted directly into Python source code passed to python3 -c. A crafted argument containing quotes and Python syntax could break out of the string and execute arbitrary Python under the agent's local account.
python3 -c "... result = api.update_block('$DOCUMENT_TOKEN', '$BLOCK_ID', '''$NEW_TEXT''') ..."Do not use python3 -c with interpolated arguments. Pass values through sys.argv, JSON on stdin, or environment variables, and validate document tokens/block IDs before use.
The agent could change or remove business document content and mark the related comment resolved, making mistakes harder to notice.
The default CLI workflow can delete selected document text and then resolve the comment after the update. The artifacts do not show an explicit approval step, preview mode, rollback, or containment for destructive document edits.
default="delete_selected" ... api.delete_text_from_block(document_token, block_id, text_to_delete) ... resolve_result = api.resolve_comment(document_token, comment_id)
Require a preview/confirmation before update or delete operations, keep before/after diffs, and avoid resolving comments automatically unless the user explicitly approves.
Anyone running the skill with these credentials can operate on Feishu documents that the app is authorized to access.
The skill needs Feishu application credentials and read/edit permissions for documents and comments. This is expected for the stated integration, but users should understand the account authority being delegated.
FEISHU_APP_ID ... FEISHU_APP_SECRET ... 权限:docx:document:readonly, docx:document:edit, drive:drive:readonly, drive:drive:edit
Use the least-privileged Feishu app possible, authorize it only on intended documents, and store the App Secret securely rather than committing it.
Future dependency changes could alter behavior or introduce vulnerabilities in the local tool environment.
The skill asks users to install Python dependencies but does not pin exact versions or provide a lockfile. This is common, but it leaves dependency versions variable across installs.
requests python-dotenv mcp>=1.0.0; python_version>="3.10"
Install in an isolated environment and prefer pinned, reviewed dependency versions or a lockfile.
Full document content may enter the agent context, and text inside the document could influence the agent's later editing decisions.
The baseline workflow exports the document and asks the host model to read it. This is purpose-aligned, but the document text may contain sensitive content or instructions that should be treated as document data rather than agent instructions.
"export_markdown_result": export_res ... "请先通读并输出一份'编辑基线'"
Export full documents only when needed, avoid highly sensitive documents unless appropriate, and treat document contents as untrusted source material.