ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-calendar

Manage Feishu (Lark) calendars by listing, searching, checking schedules, syncing events, and marking tasks with automated date extraction.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 4.5k · 89 current installs · 98 all-time installs
by@autogame-17
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the repository contains multiple scripts to list/search/create/sync Feishu calendar events and to create shared calendars. Requiring FEISHU_APP_ID and FEISHU_APP_SECRET is consistent with that purpose. However the published registry metadata claims no required env vars while the code and SKILL.md clearly require FEISHU credentials (and one script references OPENCLAW_MASTER_ID). That mismatch is an incoherence the maintainer should fix.
!
Instruction Scope
SKILL.md instructs running the provided node scripts and documents FEISHU_APP_ID/FEISHU_APP_SECRET in .env, which is consistent. But the code goes beyond passive reads: it creates and deletes calendar events (see cleanup.js and setup_routine.js), creates shared calendars and adds ACL members (setup_shared.js), and writes to local files (memory/calendar_events.json and HEARTBEAT.md in sync.js). search_cal.js references OPENCLAW_MASTER_ID but SKILL.md doesn't document it. Also several files call ../common/time-helper.js which is not present in the manifest (runtime breakage risk). These behaviors are within calendar-management scope, but they are high-impact actions (deleting events, making calendars public, adding members, scheduling recurring 'maintenance' events) and should be explicitly disclosed and gated.
Install Mechanism
There is no explicit install spec (instruction-only), which is low risk for automatic installs. The package.json and package-lock.json declare standard npm deps (@larksuiteoapi/node-sdk, dotenv). No downloads from arbitrary URLs are present. Users will need to run npm install to satisfy dependencies; that's expected but should be done from a trusted environment.
!
Credentials
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET (documented in SKILL.md) but the skill registry lists no required env vars — a mismatch. Additionally search_cal.js reads OPENCLAW_MASTER_ID which SKILL.md and registry do not mention. Requesting Feishu app credentials is appropriate for calendar management, but missing/undocumented env vars and the ability to act on calendars (delete events, add members, create public recurring events) elevate risk and should be documented and constrained.
Persistence & Privilege
always:false (normal). The skill does persist and modify local files (memory/calendar_events.json, HEARTBEAT.md) and creates/deletes events on Feishu. Those actions are expected for a syncing/calendar-management tool, but they are privileged (they modify calendars and repo files). There is no evidence the skill modifies other skills or system-wide configuration, but the destructive operations (DELETE events) and creation of ACL entries are high-impact and require explicit confirmation from the user.
Scan Findings in Context
[uses-dotenv] expected: The scripts load FEISHU_APP_ID and FEISHU_APP_SECRET from a .env file using dotenv — expected for an API-integrating calendar skill.
[api-delete-calendar-event] expected: cleanup.js and setup_routine.js call DELETE on calendar events via Feishu API. Deleting events is within calendar-management scope but is potentially destructive; user should expect this behavior and verify app permissions before running.
[writes-local-files] expected: sync.js writes memory/calendar_events.json and modifies HEARTBEAT.md. Persisting sync state and updating a heartbeat file is expected, but this will modify files in the agent/project workspace and may overwrite user content.
[creates-acl-and-recurring-events] expected: setup_shared.js and setup_routine.js create calendars, add ACL members, and schedule recurring events. These are consistent with a calendar admin skill yet are high-impact operations that should be deliberate and authorized.
[undeclared-env-var] unexpected: search_cal.js references OPENCLAW_MASTER_ID (and several files reference a ../common/time-helper.js). These are not declared in SKILL.md or registry metadata and may cause runtime errors or hidden dependencies.
What to consider before installing
Before installing or running: - Do not run these scripts in a production account or with credentials from an important/organizational Feishu app until you review them. The code can create, modify, and delete calendar events and ACLs. - Verify and provide only the minimal app credentials (FEISHU_APP_ID and FEISHU_APP_SECRET) and restrict the app's permissions if possible. - Confirm whether OPENCLAW_MASTER_ID is required; SKILL.md does not document it but search_cal.js references it. - Inspect setup_routine.js and cleanup.js: they delete events and create recurring 'maintenance' events (these do not execute system restarts but create calendar entries that mention restarts). If you don't want auto-creation/deletion, remove or modify those scripts. - Note the scripts write to repository files (HEARTBEAT.md and memory/calendar_events.json). Back up these files before running and run first in an isolated workspace. - The code references ../common/time-helper.js which is missing; expect runtime errors until that dependency is provided or references removed. - Run npm install only in a trusted environment and review the package.json/lockfile; dependencies appear standard. - If you are unsure, test using a dedicated Feishu test account/app with limited scope and observe behavior before granting any broader access.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97akng592b0n3paz4n539r5zn814azt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

feishu-calendar

Manage Feishu (Lark) Calendars. Use this skill to list calendars, check schedules, and sync events.

Usage

List Calendars

Check available calendars and their IDs.

node skills/feishu-calendar/list_test.js

Search Calendar

Find a calendar by name/summary.

node skills/feishu-calendar/search_cal.js

Check Master's Calendar

Specific check for the Master's calendar status.

node skills/feishu-calendar/check_master.js

Sync Routine

Run the calendar synchronization routine (syncs events to local state/memory).

node skills/feishu-calendar/sync_routine.js

Setup

Requires FEISHU_APP_ID and FEISHU_APP_SECRET in .env.

Standard Protocol: Task Marking

Trigger: User says "Mark this task" or "Remind me to...". Action:

  1. Analyze: Extract date/time (e.g., "Feb 4th" -> YYYY-MM-04).
  2. Execute: Run create.js with --attendees set to the requester's ID.
  3. Format: 
    node skills/feishu-calendar/create.js --summary "Task: <Title>" --desc "<Context>" --start "<ISO>" --end "<ISO+1h>" --attendees "<User_ID>"

Setup Shared Calendar

Create a shared calendar for a project and add members.

node skills/feishu-calendar/setup_shared.js --name "Project Name" --desc "Description" --members "ou_1,ou_2" --role "writer"

Files

15 total
Select a file
Select a file to preview.

Comments

Loading comments…