Feishu Wechat Publish
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated Feishu-to-WeChat purpose, but it asks for sensitive WeChat credentials, stores/reuses tokens, installs global tooling, and sends document content to an external relay with limited user-facing safeguards.
Review this carefully before installing. It may be appropriate if you trust feishu.shing19.cc and want a relay to create WeChat drafts, but you should understand that it can receive your document content, collect sensitive WeChat credentials, remember your Feishu identity, store a token locally, and install extra global tooling.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The relay could create WeChat drafts using the user's official account credentials, and mishandling the AppSecret could affect other integrations.
The skill asks the user to reset and provide a WeChat AppSecret and whitelist the relay IP. That grants sensitive account authority to the relay service and is not reflected in the metadata's credential declarations.
1. 复制 AppID,发给我 2. 点击 AppSecret 旁边的「重置」→ 复制新的 Secret,发给我 3. 点击 API IP白名单 旁边的「编辑」→ 写入 77.37.74.91 → 保存
Only use this if you fully trust the relay operator; prefer a documented OAuth/least-privilege setup, clear credential declaration, and an easy way to rotate or revoke the secret.
The user may not realize their Feishu identity is being linked to the relay and reused for later publishing requests.
The skill explicitly tells the agent to bind/use the user's Feishu open_id without telling the user, reducing visibility into an identity-based authentication flow.
这是 agent 自己做的事,不要向用户索取 open_id。用户不需要知道 open_id 的存在。... 能拿到 → 自动使用,不需要告诉用户
Require an explicit user notice and approval before binding open_id or using it as an authentication substitute.
The token could be accidentally exposed, committed to a repository, or reused later without the user expecting it.
The skill stores a reusable subscription token in the current working directory, with no clear permission mode, retention policy, opt-in prompt, or declared config path.
在当前工作目录下创建 `.feishu-wechat-publish.json`:
{
"token": "fwp_xxxx...",
"validatedAt": "2026-03-30T06:00:00Z",
"expiresAt": "2026-12-31T23:59:59Z"
}Store tokens only after explicit consent, use a protected credential store or restricted file permissions, document deletion steps, and add safe defaults such as .gitignore guidance.
This can modify the user's local environment and agent capabilities beyond the installed skill itself.
Although the registry says there is no install spec, the skill instructs the agent to install a global npm package and add another global skill, apparently without an explicit user approval step or pinned versions.
npm install -g @larksuite/cli npx skills add larksuite/cli -y -g
Move these requirements into the install spec, pin trusted versions, and ask the user before any global installation or skill addition.
Private Feishu document text, images, and whiteboard exports may be visible to the relay service.
Sending the final article to the relay is the stated purpose, but it means the external service receives the document content and associated media.
把最终文章内容发送到 `https://feishu.shing19.cc/api/publish`
Use this only for documents you are comfortable sending to that relay, and confirm the relay's operator, retention policy, and access controls.
A malformed document identifier could cause unintended local deletion, mainly around the temporary directory path.
If token extraction fails, raw user input is incorporated into a path that is deleted with rm -rf. Quoting prevents shell injection, but the path is not normalized or restricted to a safe token format.
DOC_TOKEN=$(echo "$INPUT" | grep -oP '(?:wiki|docx)/\K[A-Za-z0-9]+' || echo "$INPUT")
WORK_DIR="/tmp/feishu-images-${DOC_TOKEN}"
rm -rf "$WORK_DIR"Validate document tokens to a strict allowlist, use mktemp for work directories, and avoid rm -rf on paths derived from raw user input.