feishu-calendar-meeting
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-aligned for creating Feishu calendar meetings, but users should protect the Feishu OAuth tokens it asks them to store locally.
This skill appears coherent and benign for creating Feishu calendar meetings. Before using it, make sure you trust the workspace where tokens are stored, verify the requested Feishu permissions, and review each meeting creation request before it is sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent can create Feishu calendar events and associated video meetings with the provided token.
The skill uses an authenticated API call to create calendar events, which is exactly its stated purpose but still changes the user's Feishu account data.
curl -s -X POST "https://open.feishu.cn/open-apis/calendar/v4/calendars/${CALENDAR_ID}/events" ... -H "Authorization: Bearer $USER_TOKEN" ... -d "$JSON"Use the skill only when you intend to create a meeting, and review the title, time, calendar ID, and optional fields before sending the request.
Anyone or any agent process with access to the token could use the permitted Feishu APIs, including creating calendar events.
The skill requires a Feishu user token with calendar and meeting permissions; these credentials are expected for the integration but grant delegated account authority.
需要获取 user_access_token ... - `calendar:calendar` - `calendar:calendar.event:create` - `vc:meeting`
Use the least-privileged Feishu app permissions available, keep the token private, and revoke or rotate it if you no longer need the skill.
A saved refresh token could continue enabling Feishu access for up to about 30 days if the file is exposed.
The skill documents persistent local storage of Feishu tokens in a workspace markdown file, which may be reused across tasks or exposed if the workspace is broadly readable.
refresh_token 有效期约 30 天 Token 保存在 `~/.openclaw/workspace/feishu_tokens.md`
Prefer a secure secret store if available, restrict file permissions on the token file, and delete or rotate tokens when the integration is no longer needed.