Feishu Whiteboard V2
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Feishu whiteboard purpose, but it exposes a live Feishu tenant token and includes extra Feishu-writing helper scripts outside the advertised workflow.
Install only if you are comfortable giving the skill Feishu app credentials with document and whiteboard scopes. Verify the target document IDs before use, avoid the token-printing auth test, and review or remove the extra Bitable/Docx helper scripts if you only need whiteboard diagrams.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given the wrong document or block ID, the agent could create content in the wrong Feishu document.
The intended workflow runs a local helper that creates Feishu document blocks and fills whiteboard nodes. This is disclosed and matches the whiteboard purpose, but it mutates a third-party workspace.
执行 `scripts/feishu-board.js` 完成“创建画板块 + 填充节点”
Only use it with document IDs and parent block IDs you have verified, and review the generated Mermaid or PlantUML before running the helper.
Installing users may not realize from the registry metadata that they must provide Feishu app credentials with document and whiteboard permissions.
The skill requires Feishu app credentials to call Feishu Open API. That is expected for the integration, but the registry metadata says no required environment variables or primary credential.
- `FEISHU_APP_ID` - `FEISHU_APP_SECRET`
Declare these credentials in metadata and use the least-privileged Feishu app scopes needed for the specific documents.
A leaked tenant token could allow access to Feishu APIs within the app's granted scopes until the token expires.
The `get-tenant-token` command prints a live tenant access token to stdout. That token can then appear in chat transcripts, terminal logs, or other agent context.
print({ ok: true, tenantAccessToken: token });Avoid running `get-tenant-token` unless necessary; the skill should mask the token or only report whether authentication succeeded.
The package contains additional Feishu account-mutation capability that a user may not expect when installing a whiteboard diagram skill.
This included helper can create and populate Feishu spreadsheets, which is outside the advertised whiteboard-only purpose and is not described in SKILL.md's core workflow.
* Feishu Bitable API - Create spreadsheets with any size
Remove unrelated helpers or clearly document and separately declare their permissions, inputs, and intended use.
That helper may fail to run or require installing additional code that was not reviewed in these artifacts.
An included helper depends on an external package, while the supplied skill has no install specification or dependency lockfile in the provided artifacts.
} = require('feishu-markdown');Provide a clear install spec and pinned dependency information, or omit this helper from the whiteboard skill package.