feishu-task-integration-skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated Feishu task-sync purpose, but the primary scripts include hardcoded developer-specific paths and user IDs while handling Feishu task-write authority, so it should be reviewed before use.
Before installing, inspect and edit the scripts to remove /home/gary paths and hardcoded Feishu user IDs, configure your own Feishu app credentials with minimal permissions, and confirm that automatic task creation/completion sync is acceptable for your workspace.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using normal todo commands can create or complete tasks in the user's Feishu workspace.
The documented workflow intentionally creates Feishu tasks and marks them complete from local todo commands. This is purpose-aligned, but it mutates a third-party task system.
自动创建飞书任务...本地完成任务自动同步到飞书...done0
Use the skill only with a Feishu app and workspace where this automatic sync behavior is intended.
Tasks could be assigned to or shared with an unintended Feishu identity if the code runs in a compatible tenant or if the user does not inspect the defaults.
The primary Feishu integration script hardcodes a Feishu user ID and defaults to adding the current user/Yangbin as assignees or followers, rather than requiring explicit per-user configuration.
self.current_user_id = "ou_19c0ea5e1a6d3e318b52f4978684bd03" # 当前用户ID ... def create_task(... add_yangbin=True, add_current_user=True)
Remove hardcoded user IDs, require explicit assignee/follower configuration, and show/confirm the target users before creating or updating Feishu tasks.
The configured Feishu app can create, update, and manage task membership within the permissions granted by the workspace.
The skill requires a Feishu app secret and task read/write, assignee, and follower permissions. This is expected for the integration, but it is sensitive authority.
"app_secret": "your_app_secret" ... `task:task` (任务读写权限) ... `task:task.assignee` ... `task:task.follower`
Use least-privilege Feishu app permissions, rotate the app secret if exposed, and avoid granting broader workspace permissions than the skill needs.
The skill may fail, read the wrong configuration, or use credentials from an unintended local workspace path.
The documented configuration is a generic feishu_config.json, but the primary script reads credentials from a developer-specific absolute path, creating an unexpected local dependency and unclear credential source.
config_file = '/home/gary/.openclaw/workspace/feishu_config.json'
Use a relative or user-configurable config path, declare the credential requirement in metadata, and remove developer-specific paths before installation.
Task names and Feishu task IDs may remain on disk after use.
The handler persists local todo text, completion status, and Feishu task identifiers. This is expected for a sync tool, but it stores potentially sensitive work-task data locally.
self.todo_file = '/home/gary/.openclaw/workspace/todo_data.json' ... 'content': content ... 'feishu_task_id': feishu_result.get('task_id')Store todo data in a user-approved path, document retention/cleanup behavior, and avoid putting sensitive task details into todos unless local storage is acceptable.