Feishu Task Workbench

Before installing, consider these points: - The skill will create and modify JSON files under tasks/feishu/<account>/<peer>.json on the agent host. Confirm the host working directory and file permissions are safe and that the agent runs with least privilege (or run the skill inside a sandbox/container). - The included Python script does not sanitize or validate the registry path components. Ensure the agent or caller constructs safe account/peer values (no ../ or absolute paths). Ask the author to add filename sanitization (e.g., whitelist/escape peer ids) or patch scripts/task_registry.py to reject/escape unsafe path segments. - The skill stores sessionKey values in the registry and the instructions may return sessionKey and the registry path in status responses. Treat sessionKey as sensitive: verify you are comfortable with that exposure, or request the skill only show sessionKey on explicit explicit user request and never include it in normal status outputs. - The skill requires the platform session tools (sessions_spawn, sessions_send, sessions_history). Enabling agent-to-agent/session visibility increases the blast radius: only grant those capabilities to trusted skills and consider limiting which agents/skills can use them. - If you need higher assurance, run the skill in a controlled environment first (test account or container), review/modify scripts/task_registry.py to add path sanitization and stricter file permissions, and verify the skill's runtime behavior (that it won't write outside tasks/feishu or leak session identifiers).