Feishu Bot Config Helper
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do its advertised Feishu bot setup, but it can run unpinned installer code, rewrite OpenClaw configuration, store Feishu app secrets, open broad bot access, and restart the gateway automatically.
Install only if you trust the GitHub source and are comfortable with a tool that edits ~/.openclaw/openclaw.json and restarts the gateway. Before using it, back up your OpenClaw config, restrict Feishu allowlists/group access, avoid sharing App Secrets in group chats, and review the exact changes it will make.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way could run unreviewed code on the user's machine.
The documented install path executes a remote script directly from the mutable GitHub 'main' branch, so installed code can differ from the reviewed package.
curl -fsSL https://raw.githubusercontent.com/jiebao360/feishu-bot-config-helper/main/install.sh | bash
Avoid curl-to-bash installs from mutable branches; install from a pinned release or commit and inspect the installer before running it.
A single configuration run can change which agents exist, which Feishu bot credentials are active, how messages route, and restart the user's gateway service.
After parsing a configuration message, the script mutates OpenClaw agents/accounts/bindings, writes the global config file, and restarts the gateway without a visible approval or rollback step.
this.addAgent(config, botConfig); this.addFeishuAccount(config, botConfig); this.addBinding(config, botConfig); ... if (!this.writeConfig(config)) ... await this.restartGateway();
Require an explicit local admin confirmation, show a diff, create a backup of openclaw.json, and provide a rollback path before applying changes or restarting the gateway.
The created bot may be reachable more broadly than intended, and the Feishu app secret becomes part of the persistent OpenClaw configuration.
The script stores Feishu app credentials and configures the new account with wildcard direct-message allowance and open group policy.
appSecret: botConfig.appSecret, ... dmPolicy: 'allowlist', allowFrom: ['*'], groupPolicy: 'open'
Use narrowly scoped Feishu app credentials, avoid pasting secrets in shared chats, restrict allowFrom/groupPolicy to intended users or groups, and document where secrets are stored.
Existing OpenClaw agents may be changed unintentionally, and the gateway restart can propagate those changes immediately.
The script reuses fixed agent IDs such as work, notes, or generic_content and updates an existing agent's skills when the ID already exists, so a new bot setup can alter an existing agent.
const exists = config.agents.list.some(agent => agent.id === botConfig.agentId); if (exists) { ... agent.skills = botConfig.skills; }Detect collisions clearly, require confirmation before updating existing agents or accounts, and prefer unique account/agent IDs for each configured bot.
The skill can execute local commands that affect the user's OpenClaw service.
The script uses shell execution for local setup and gateway restart. The visible commands are fixed and purpose-aligned, but users should notice that the skill runs local commands.
const { exec } = require('child_process'); ... exec('openclaw gateway restart', (error) => {Run it only in an environment where you are comfortable allowing the skill to control OpenClaw configuration and gateway lifecycle.