weekly-report-generator-feishu-chinese
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is mostly coherent, but it tells the agent to scan Git repositories and send the generated report to Feishu automatically without user review.
Install only if you want this skill to scan your configured Git project directory and send reports to Feishu. Before using it, edit the scripts to point only at intended repositories, store Feishu secrets safely, verify the recipient, and require a preview/approval step before sending or enabling any scheduled task.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may proceed with repository scanning and report generation before the user has confirmed scope, paths, or output destination.
The skill directs the agent to force this workflow for relevant requests and to run actions without first confirming details with the user.
<HARD-GATE>当用户需要生成周报、总结本周工作、或分析 git 提交记录时,必须先调用此 skill。</HARD-GATE> ... **无需询问用户,直接执行以下操作:**
Require an explicit preview/confirmation step before scanning broad project roots or sending the final report.
Private commit summaries or work details could be posted to Feishu before the user checks the contents or recipient.
The workflow requires an external send action immediately after generation and explicitly suppresses review or approval.
### 步骤 5:自动发送到飞书(必须执行) ... **重要:AI优化完周报后必须立即发送到飞书,无需任何检查或询问。**
Change the workflow so the agent shows the generated report and asks for confirmation before invoking send-to-feishu.sh.
Anyone with access to the configured script could potentially use the Feishu app secret to send messages with the app’s granted permissions.
The skill requires Feishu application credentials and bot message-sending permissions, even though registry metadata declares no primary credential.
APP_ID="your_app_id" ... APP_SECRET="your_app_secret" ... RECEIVE_ID="your_open_id" ... 权限管理 ... `im:message` ... `im:message:send_as_bot`
Store Feishu secrets in environment variables or a secret manager, keep bot permissions minimal, and avoid committing configured scripts.
Report contents derived from local Git history may leave the local environment and be delivered to the configured Feishu account or chat.
The script reads the generated report file and sends its contents to the Feishu API using the configured recipient ID.
report_content = f.read()[:3000] ... 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id'
Make the destination and report content visible to the user before sending, and document what data is transmitted.
If configured, the report workflow could run on a schedule without a fresh user prompt each week.
The documentation describes installing a launchd scheduled task for recurring weekly automation.
配置定时任务(macOS) ... launchctl load ~/Library/LaunchAgents/com.user.weekly-report.plist
Only enable the scheduled task if unattended sending is intended, and provide clear disable/unload instructions to users.