Feishu Meeting
v1.0.0Create Feishu (Lark) video meetings via Calendar API — instant, scheduled, or recurring. Supports multiple invitees (resolved from mobile/email), automatic F...
⭐ 0· 455·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script behavior (creating calendar events, reserving VC links, resolving users) matches the stated purpose. However the registry metadata lists no required credentials or config paths while the script clearly needs Feishu appId/appSecret (from openclaw.json) and expects FEISHU_MEETING_OWNER_ID and FEISHU_MEETING_CALENDAR_ID environment variables — this mismatch is unexpected and should have been declared.
Instruction Scope
SKILL.md and the script stay within the domain of scheduling Feishu meetings and call only Feishu endpoints. The instructions do require you to populate app credentials in openclaw.json and to set owner/calendar identifiers, which the SKILL.md mentions in prose but the skill metadata did not enumerate as required—so runtime instructions access agent config files that were not declared in the registry metadata.
Install Mechanism
No install spec; this is an instruction-only skill with a small shell script. Nothing is downloaded from remote URLs and no archive extraction occurs. Risk from installation is low; primary risk comes from executing the provided script.
Credentials
The skill needs sensitive credentials (Feishu appId/appSecret) and environment vars (FEISHU_MEETING_OWNER_ID, FEISHU_MEETING_CALENDAR_ID / or editing the script). The registry metadata declared no required env vars or config paths, and did not set a primary credential — this omission is a red flag because the script reads the agent config file (/root/.openclaw/openclaw.json by default) to obtain the app credentials.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide configuration. It only reads an existing OpenClaw config file and uses network calls to Feishu APIs; it does not persist new credentials or alter agent settings.
What to consider before installing
This script does what it claims (creates Feishu calendar events and VC links) but it requires Feishu app credentials and owner/calendar identifiers that were not declared in the skill metadata. Before running: 1) Inspect /root/.openclaw/openclaw.json (or the file set in OPENCLAW_CONFIG) to confirm it only contains the expected Feishu appId/appSecret and no unrelated secrets you don't want read by this script. 2) Set FEISHU_MEETING_OWNER_ID and FEISHU_MEETING_CALENDAR_ID (or edit the script's configuration block) rather than running as root or with a config that holds other credentials. 3) Verify the Feishu app has only the minimal scopes listed in SKILL.md. 4) If you cannot verify the openclaw.json contents or prefer stricter isolation, extract the Feishu appId/appSecret into a separate config file and set OPENCLAW_CONFIG to that file, run the script in an isolated environment, or run the API calls yourself. The current mismatch between declared requirements and what the script actually reads is the main reason to treat this as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latest
Feishu Meeting
Create Feishu video meetings with one command. Meetings appear in attendees' calendars with auto-generated VC links.
Prerequisites
Feishu app permissions (enable in Feishu Open Platform console):
calendar:calendar— Read/write calendarsvc:reserve— Reserve meetingscontact:user.id:readonly— Resolve mobile/email to user IDs
The app must have bot capability enabled.
Configuration
Before first use, set these values in scripts/create.sh:
DEFAULT_OWNER_OPEN_ID— Open ID of the default meeting owner (required)CALENDAR_ID— The bot's primary calendar ID (run the discovery command below)
Discover Calendar ID
# After configuring Feishu appId/appSecret in openclaw.json:
curl -s "https://open.feishu.cn/open-apis/calendar/v4/calendars" \
-H "Authorization: Bearer $TOKEN" | python3 -c "
import json,sys
for c in json.load(sys.stdin)['data']['calendar_list']:
print(f\"{c['calendar_id']} {c['type']} {c['summary']}\")"
Use the primary calendar ID.
Usage
scripts/create.sh "Topic" # Instant (5min from now)
scripts/create.sh "Topic" --start "2026-03-10 14:00" --duration 60 # Scheduled
scripts/create.sh "Topic" --invitee "13800138000" # With invitee
scripts/create.sh "Topic" --invitee "a@b.com" --invitee "138..." # Multiple
scripts/create.sh "Topic" --rrule "FREQ=WEEKLY;BYDAY=WE;COUNT=8" # Recurring
Options
| Flag | Description | Default |
|---|---|---|
--invitee <mobile|email> | Add invitee (repeatable) | Owner only |
--start <datetime> | Start time "YYYY-MM-DD HH:MM" | Now + 5 min |
--duration <min> | Duration in minutes | 60 |
--rrule <rule> | RFC 5545 recurrence rule | None |
Positional args after topic are treated as invitees for convenience.
RRULE Examples
| Pattern | RRULE |
|---|---|
| Every Monday | FREQ=WEEKLY;BYDAY=MO;COUNT=52 |
| Every weekday | FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR;COUNT=52 |
| Biweekly Wednesday | FREQ=WEEKLY;INTERVAL=2;BYDAY=WE;COUNT=26 |
| Monthly 1st Friday | FREQ=MONTHLY;BYDAY=1FR;COUNT=12 |
| Daily for 5 days | FREQ=DAILY;COUNT=5 |
Important: Feishu requires COUNT or UNTIL in recurrence rules. The script auto-appends COUNT=52 if neither is present.
How It Works
- Gets
tenant_access_tokenfrom Feishu app credentials - Creates a calendar event with
vchat.vc_type: "vc"(auto-generates Feishu VC link) - Resolves invitee mobiles/emails → open_ids via
batch_get_id - Adds attendees to the calendar event (they see it in their Feishu calendar)
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
99991672 | Missing permission | Enable the required scope in app console |
190002 invalid parameters | Bad RRULE or timestamp | Ensure RRULE has COUNT/UNTIL; timestamps are Unix seconds |
| Invitee not found | User not in app's visibility scope | Add user to app's contact scope, or share link manually |
121003 param error on reserves API | Wrong field in payload | Don't pass invitees to /vc/v1/reserves/apply — it doesn't exist |
Comments
Loading comments...