Feishu Calendar Meeting.Tmp
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Feishu meeting helper largely matches its stated purpose, but it needs review because it uses and stores Feishu OAuth tokens while the registry metadata does not clearly declare that credential access.
Only install or use this skill if you are comfortable giving it Feishu Calendar and meeting permissions. Verify the publisher, keep the token file private, prefer a secure secret store, and confirm the meeting details before allowing the calendar event to be created.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with this token can act on the user’s Feishu account to list calendars and create calendar/video meeting events.
The skill needs a Feishu user access token with calendar and meeting scopes to call Feishu APIs, while the supplied registry requirements list no primary credential or required environment variables.
"tokens": ["feishu_user_token"] ... `calendar:calendar` ... `calendar:calendar.event:create` ... `vc:meeting` ... `Authorization: Bearer $USER_TOKEN`
Declare the Feishu credential in the registry metadata, use the minimum required OAuth scopes, and require clear user confirmation before creating meetings.
If that workspace file is exposed or reused by other agents/tasks, someone may gain continued access to the user’s Feishu calendar until the token is revoked or expires.
The skill stores Feishu access and refresh tokens persistently in a workspace Markdown file, but does not describe access controls, encryption, cleanup, or when the token may be reused.
access_token 有效期约 2 小时 ... refresh_token 有效期约 30 天 ... Token 保存在 `~/.openclaw/workspace/feishu_tokens.md`
Store OAuth tokens in a protected secret store instead of a Markdown file, restrict file permissions, avoid sharing the workspace, and revoke/rotate tokens when no longer needed.
Wrong calendar IDs, times, or titles could create unintended meetings in Feishu.
The skill uses a direct API POST to create a calendar event. This is purpose-aligned, but it is still a mutating third-party account action.
curl -s -X POST "https://open.feishu.cn/open-apis/calendar/v4/calendars/${CALENDAR_ID}/events" ... -d "$JSON"Review the calendar, title, attendees if added later, time zone, and start/end times before allowing the API call.
Users may have difficulty verifying which publisher or package identity they are trusting before providing Feishu credentials.
The included _meta.json owner and slug differ from the supplied registry owner `kn70ng69ktrfykn70dh5ga0e3n82jj9j` and slug `feishu-calendar-meeting-tmp`, which creates provenance ambiguity.
"ownerId": "kn73t6pgmwvenw46nty6and6z581rzqf", "slug": "feishu-calendar-meeting"
Reconcile the registry and package metadata, and verify the publisher/source before storing OAuth tokens for this skill.