Lark Report Collector
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill has a plausible Lark reporting purpose, but it would use your logged-in Lark account to read reports, create documents, and send notifications without clear limits on credentials, recipients, or local storage.
Use this only if you are comfortable letting the agent operate through your Lark login. Before running it, specify the exact team, report template, week, output document location, notification recipients, and local temporary file handling. Review the generated summary before any notification is sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in the wrong browser profile or account, the agent could access private team reports available to that Lark session.
The skill relies on a live Lark browser session, meaning the agent can act with the user's Lark permissions. The registry metadata does not declare a primary credential or required environment variable, and the SKILL.md does not bound which account, teams, or permissions should be used.
browser action=navigate profile=openclaw targetUrl="https://oa.larksuite.com/report/record/entry" Prerequisites: openclaw browser must have active Lark login session.
Use a dedicated least-privileged Lark profile or service account, explicitly confirm the account/team/template/week before collection, and declare the Lark session/API credential requirement.
A mistaken collection or summary could be published or sent to the wrong people under the user's Lark account.
Creating Lark Docs and sending Lark messages are mutating account actions. The instructions do not require explicit final approval of the generated document, sharing destination, or notification recipients.
Create document via Lark Open API (see `lark-api` skill for auth). ... Send message via Lark API with doc link.
Require a user confirmation step before creating shared documents or sending notifications, and require the user to provide or approve the exact doc location and recipients.
Private weekly report contents may remain on disk after the task finishes.
The workflow stores extracted report data locally. That is purpose-aligned, but the artifacts do not specify the file path, retention period, cleanup behavior, or access controls.
Append to local file after each extraction (prevents data loss)
Use a user-approved temporary path, avoid storing more than necessary, and delete or protect the local extraction file after the final Lark document is reviewed.