ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lark Calendar Litiao

Create, update, and delete calendar events and tasks in Lark (Feishu). Includes employee directory for automatic name-to-user_id resolution.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 91 · 1 current installs · 1 all-time installs
by@litiao1224
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code implements Lark (Feishu) calendar and task CRUD and an employee resolver — this matches the skill description. However, the registry metadata declares no required env vars or config paths, while the SKILL.md and code require FEISHU_APP_ID and FEISHU_APP_SECRET and load a .secrets.env file. Also SKILL.md's stated default calendar ID differs from the constant DEFAULT_CALENDAR_ID in lib/calendar.mjs, which is an internal inconsistency.
!
Instruction Scope
SKILL.md instructs storing FEISHU_APP_ID and FEISHU_APP_SECRET in `.secrets.env` and provides CLI examples — that matches the scripts. The runtime code (lib/lark-api.mjs) loads dotenv from a path outside the skill folder (../../../../.secrets.env) and falls back to '.secrets.env', which means the skill will attempt to read a workspace-level secrets file. The employee lookup code can call /contact/v3/users (needs contact API permission). Adding 'Boyang' to every event is explicit business logic. Overall the runtime instructions are concrete, but reading the workspace .secrets.env and the calendar-id mismatch are scope concerns.
Install Mechanism
There is no install spec (instruction-only in registry), but a package.json and package-lock.json with a dependency on dotenv are included. That means the code expects dependencies to be installed (npm install) before use; no remote downloads or extraction URLs are present. This is moderate risk but not unusual.
!
Credentials
The skill only needs FEISHU_APP_ID and FEISHU_APP_SECRET for the Lark API, which is proportionate. However, the manifest/registry did not declare these required env vars or any config paths, while the code explicitly loads a workspace-level `.secrets.env` (../../../../.secrets.env) and then '.secrets.env' as fallback. Loading a workspace secrets file could expose unrelated secrets present there to this skill (even if the code only uses two variables). The employee fetch also implies the Lark app needs contact read permission (not surfaced in metadata).
Persistence & Privilege
The skill is not always-included, does not request special platform-level persistence, and does not modify other skills or system configs. It runs as invoked (user-invocable / agent-invocable) which is the platform default.
What to consider before installing
Things to check before installing or running this skill: - Secrets: SKILL.md and the code require FEISHU_APP_ID and FEISHU_APP_SECRET. The skill's registry metadata did not declare these — verify you supply only the Lark app credentials and store them securely. Be careful: the code attempts to load a workspace-level .secrets.env (../../../../.secrets.env) and then '.secrets.env' — if you keep other secrets in a workspace .secrets.env, this skill will load them into process.env (even if it only uses two of the values). Prefer running the skill in an isolated environment or ensuring the .secrets.env contains only the intended Lark credentials. - Default calendar mismatch: the SKILL.md lists one default calendar ID but lib/calendar.mjs has a different DEFAULT_CALENDAR_ID. Confirm which calendar will actually be used, and update the code or docs to avoid accidentally creating events in the wrong calendar. - Permissions: employee name resolution will call the Lark contact API. Ensure the Lark app has the correct contact:read permission and that you are comfortable granting that to this app. - Business rule: the code always adds user_id 'dgg163e1' (Boyang) as an attendee to every event. If that is undesired, remove or modify ensureBoyangIncluded before use. - Dependencies / installation: there is no automated install step in the registry; package.json declares dotenv. Install dependencies (npm install) in a controlled environment before running scripts. - If you are unsure: inspect/replace the dotenv loading path to point to a dedicated secrets file (not a workspace root file), or run the scripts with environment variables set in the process rather than relying on .secrets.env. Confidence note: the code is straightforward and matches the stated purpose, but the metadata omissions and the workspace-level .secrets.env loading raise legitimate privacy/correctness concerns; more information (e.g., intended .secrets.env location and which default calendar is authoritative) would raise confidence to high.
lib/lark-api.mjs:15
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9766bfmck02k35y98ks8kmvt5832gss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Lark Calendar & Task Skill

Create, update, and delete calendar events and tasks in Lark (Feishu).

Overview

This skill provides full CRUD operations for:

  • Calendar Events — meetings, appointments, schedules
  • Tasks (Todo) — action items with deadlines

Configuration

Required Environment Variables (in .secrets.env):

FEISHU_APP_ID=cli_a9f52a4ed7b8ded4
FEISHU_APP_SECRET=<your-app-secret>

Default Calendar: feishu.cn_caF80RJxgGcbBGsQx64bCh@group.calendar.feishu.cn (Claw calendar)

Default Timezone: Asia/Singapore

Quick Reference

Create Calendar Event

node skills/lark-calendar/scripts/create-event.mjs \
  --title "Meeting with Team" \
  --description "Discuss Q2 roadmap" \
  --start "2026-02-03 14:00:00" \
  --end "2026-02-03 15:00:00" \
  --attendees "Boyang,RK" \
  --location "Meeting Room A"

Parameters:

ParamRequiredDescription
--titleEvent title
--descriptionEvent description
--startStart time (YYYY-MM-DD HH:MM:SS)
--endEnd time (YYYY-MM-DD HH:MM:SS)
--attendeesComma-separated names (auto-resolved to user_ids)
--attendee-idsComma-separated user_ids directly
--locationEvent location
--timezoneTimezone (default: Asia/Singapore)
--calendarCalendar ID (uses default if omitted)

Update Calendar Event

node skills/lark-calendar/scripts/update-event.mjs \
  --event-id "f9900f6b-b472-4b17-a818-7b5584abdc37_0" \
  --title "Updated Title" \
  --start "2026-02-03 15:00:00" \
  --end "2026-02-03 16:00:00"

Delete Calendar Event

node skills/lark-calendar/scripts/delete-event.mjs \
  --event-id "f9900f6b-b472-4b17-a818-7b5584abdc37_0"

List Calendar Events

# List events for next 7 days
node skills/lark-calendar/scripts/list-events.mjs

# List events in date range
node skills/lark-calendar/scripts/list-events.mjs \
  --start "2026-02-01" \
  --end "2026-02-28"

Create Task

node skills/lark-calendar/scripts/create-task.mjs \
  --title "Review PR #123" \
  --description "Code review for authentication module" \
  --due "2026-02-05 18:00:00" \
  --assignees "Boyang,jc"

Parameters:

ParamRequiredDescription
--titleTask title
--descriptionTask description
--dueDue date (YYYY-MM-DD HH:MM:SS)
--assigneesComma-separated names (auto-resolved)
--assignee-idsComma-separated user_ids directly
--timezoneTimezone (default: Asia/Singapore)

Update Task

node skills/lark-calendar/scripts/update-task.mjs \
  --task-id "35fc5310-a1b1-49c7-be75-be631d3079ee" \
  --title "Updated Task" \
  --due "2026-02-06 18:00:00"

Delete Task

node skills/lark-calendar/scripts/delete-task.mjs \
  --task-id "35fc5310-a1b1-49c7-be75-be631d3079ee"

Manage Event Attendees

# Add attendees
node skills/lark-calendar/scripts/manage-attendees.mjs \
  --event-id "xxx" --add "RK,jc"

# Remove attendees  
node skills/lark-calendar/scripts/manage-attendees.mjs \
  --event-id "xxx" --remove "jc"

Manage Task Members

# Add members
node skills/lark-calendar/scripts/manage-task-members.mjs \
  --task-id "xxx" --add "RK,jc"

# Remove members
node skills/lark-calendar/scripts/manage-task-members.mjs \
  --task-id "xxx" --remove "jc"

Employee Directory

Names are auto-resolved to Lark user_ids. Supported names:

user_idNamesRole
dgg163e1Boyang, by, 博洋Boss
gb71g28bRKLeadership, R&D
53gc5724DingLeadership, Operations
217ec2c2CharlineHR
f2bfd283曾晓玲, xiaolingHR
f26fe45dHHResearch
45858f91zan, Eva-
7f79b6deIssacOperations
1fb2547g王铁柱Operations
e5997acd尼克, NicoOperations
438c3c1fIvanOperations
17g8bab2DodoR&D, Product
73b45ec5启超, QiChaoShiR&D, Design
d1978a39chenglinR&D, Frontend
ef6fc4a7冠林, GreenR&D, Frontend
b47fa8f2sixian, sx, Sixian-YuR&D, Frontend
934fbf15jc, sagiri, 俊晨R&D, Backend
8c4aad87大明, damingR&D, Backend
ab87g5e1Emily YobalIntern
55fa337fjingda, 景达Intern
333c7cf1刘纪源, 纪源, AidenIntern

Business Rules

  1. Boyang is always added as attendee to every calendar event (automatic)
  2. Timezone handling: Uses IANA identifiers (e.g., Asia/Singapore, Asia/Shanghai)
  3. Time format: Always YYYY-MM-DD HH:MM:SS
  4. user_id vs open_id: This skill uses user_id format (e.g., dgg163e1), NOT open_id (e.g., ou_xxx)

Programmatic Usage

import { createEvent, updateEvent, deleteEvent } from './skills/lark-calendar/lib/calendar.mjs';
import { createTask, updateTask, deleteTask } from './skills/lark-calendar/lib/task.mjs';
import { resolveNames } from './skills/lark-calendar/lib/employees.mjs';

// Create event
const result = await createEvent({
  title: 'Team Sync',
  description: 'Weekly standup',
  startTime: '2026-02-03 10:00:00',
  endTime: '2026-02-03 10:30:00',
  attendeeIds: ['dgg163e1', 'gb71g28b'],
  location: 'Zoom',
  timezone: 'Asia/Singapore'
});

// Create task
const task = await createTask({
  title: 'Review document',
  description: 'Q2 planning doc',
  dueTime: '2026-02-05 18:00:00',
  assigneeIds: ['dgg163e1'],
  timezone: 'Asia/Singapore'
});

Lark API Reference

Permissions Required

Ensure your Lark app has these scopes:

  • calendar:calendar — Read/write calendar ✅ (already enabled)
  • calendar:calendar:readonly — Read calendar ✅ (already enabled)
  • task:task:write — Write tasks ⚠️ (needs to be added for task creation)
  • task:task:read — Read tasks
  • contact:user.employee_id:readonly — Read user info ✅ (already enabled)

To add permissions:

  1. Go to Lark Open Platform
  2. Add scopes: task:task:write, contact:contact:readonly (for dynamic employee lookup)
  3. Re-publish the app version

Note: Without contact:contact:readonly, the skill uses a static fallback employee list. Update lib/employees.mjs when team changes.

Files

17 total
Select a file
Select a file to preview.

Comments

Loading comments…