feishu-task-integration-skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using normal todo commands can create or complete tasks in the user's Feishu workspace.
The documented workflow intentionally creates Feishu tasks and marks them complete from local todo commands. This is purpose-aligned, but it mutates a third-party task system.
自动创建飞书任务...本地完成任务自动同步到飞书...done0
Use the skill only with a Feishu app and workspace where this automatic sync behavior is intended.
Tasks could be assigned to or shared with an unintended Feishu identity if the code runs in a compatible tenant or if the user does not inspect the defaults.
The primary Feishu integration script hardcodes a Feishu user ID and defaults to adding the current user/Yangbin as assignees or followers, rather than requiring explicit per-user configuration.
self.current_user_id = "ou_19c0ea5e1a6d3e318b52f4978684bd03" # 当前用户ID ... def create_task(... add_yangbin=True, add_current_user=True)
Remove hardcoded user IDs, require explicit assignee/follower configuration, and show/confirm the target users before creating or updating Feishu tasks.
The configured Feishu app can create, update, and manage task membership within the permissions granted by the workspace.
The skill requires a Feishu app secret and task read/write, assignee, and follower permissions. This is expected for the integration, but it is sensitive authority.
"app_secret": "your_app_secret" ... `task:task` (任务读写权限) ... `task:task.assignee` ... `task:task.follower`
Use least-privilege Feishu app permissions, rotate the app secret if exposed, and avoid granting broader workspace permissions than the skill needs.
The skill may fail, read the wrong configuration, or use credentials from an unintended local workspace path.
The documented configuration is a generic feishu_config.json, but the primary script reads credentials from a developer-specific absolute path, creating an unexpected local dependency and unclear credential source.
config_file = '/home/gary/.openclaw/workspace/feishu_config.json'
Use a relative or user-configurable config path, declare the credential requirement in metadata, and remove developer-specific paths before installation.
Task names and Feishu task IDs may remain on disk after use.
The handler persists local todo text, completion status, and Feishu task identifiers. This is expected for a sync tool, but it stores potentially sensitive work-task data locally.
self.todo_file = '/home/gary/.openclaw/workspace/todo_data.json' ... 'content': content ... 'feishu_task_id': feishu_result.get('task_id')Store todo data in a user-approved path, document retention/cleanup behavior, and avoid putting sensitive task details into todos unless local storage is acceptable.