weekly-report-generator-feishu
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does match its weekly-report purpose, but it can automatically scan local Git work and send the report to Feishu without asking you to review it first.
Install only if you are comfortable with a tool scanning your configured Git project directory and sending a generated report to Feishu. Before use, narrow PROJECT_ROOT, store Feishu secrets securely, review the generated report, and avoid enabling the scheduled task or automatic send unless that behavior is intentional.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A report built from local work data could be posted before the user has checked its contents, recipient, or sensitivity.
The skill directs the agent to run local collection and send commands automatically, including the final external send, without requiring user confirmation or review.
“无需询问用户,直接执行以下操作” ... “步骤 5:自动发送到飞书(必须执行)” ... “必须立即发送到飞书,无需任何检查或询问。”
Add an explicit preview-and-confirm step before Feishu sending, and make automatic sending opt-in rather than mandatory.
Commit summaries, project names, work descriptions, or screenshot-derived information may leave the local machine and be delivered to the configured Feishu account or chat.
The script reads the generated local report and sends its content to the Feishu messaging API using the configured recipient ID.
report_content = f.read()[:3000] ... 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id'
Clearly show the destination and report contents before sending, allow redaction, and require explicit user approval for each external post unless the user has knowingly enabled a scheduled mode.
Anyone with access to the configured script may see the Feishu app secret, and the app can send messages as the bot within its granted scope.
The skill requires Feishu application credentials and bot message-sending permissions, although the registry metadata declares no primary credential or environment variables.
APP_ID="your_app_id" ... APP_SECRET="your_app_secret" ... RECEIVE_ID="your_open_id" ... `im:message` ... `im:message:send_as_bot`
Use environment variables or a secret manager instead of hardcoding APP_SECRET, grant only the required Feishu permissions, and declare the credential requirement in metadata.
If enabled, the workflow can continue generating and sending weekly reports on a schedule without a fresh manual request.
The documentation includes a persistent scheduled execution path via macOS launchd.
配置定时任务(macOS) ... launchctl load ~/Library/LaunchAgents/com.user.weekly-report.plist
Enable the launchd job only if you want recurring automation, keep the project root and recipient narrowly scoped, and know how to unload the job.
Manual copying and path editing can lead to misconfiguration or make it harder to verify exactly what will run.
The registry presents no formal install mechanism even though the skill depends on executable helper scripts and fixed local paths.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: 2 code file(s): scripts/send-to-feishu.sh; scripts/auto-weekly-report.sh
Provide a clear install spec, align documented paths with the scripts, and include all referenced scheduling files or remove those instructions.