ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-calendar-meeting

创建飞书日历事件和视频会议。通过日历 API 创建,自动关联飞书视频会议。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 147 · 0 current installs · 0 all-time installs
by@sangy12
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and runtime instructions align: it calls Feishu calendar APIs to create events and vchat links, which legitimately requires a user access token. However, registry metadata lists no required credentials or config paths while the SKILL.md includes an OpenClaw metadata block that declares a token (feishu_user_token) and the documentation expects a USER_TOKEN. This discrepancy between declared requirements and the instructions is a mismatch that should be clarified.
!
Instruction Scope
SKILL.md instructs creating OAuth credentials, performing token refresh, and saving tokens to ~/.openclaw/workspace/feishu_tokens.md, then reading USER_TOKEN from that file and using it in curl Authorization headers. That means the agent will read/write a plaintext token file in the user's home workspace — an action outside the declared config paths and a sensitive operation. Aside from the token file, all API calls are scoped to Feishu endpoints (open.feishu.cn, vc.feishu.cn) and the instructions avoid unnecessary data collection.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. No packages or external binaries are fetched or written to disk by an installer, which minimizes supply-chain risk.
!
Credentials
The skill needs a user access token to call Feishu APIs — that is proportional. But the registry says no required env vars/configs while SKILL.md expects a stored token and its internal metadata lists 'feishu_user_token'. The practice of storing long-lived refresh tokens/access tokens in a plaintext file under ~/.openclaw/workspace increases risk of token leakage. The skill does not document protections for that file (permissions, encryption) nor does it provide alternative secret storage options.
Persistence & Privilege
always is false and the skill does not request system-wide privileges or claim to modify other skills. The main persistence concern is the instruction to create a token file in the user's workspace (which gives the skill ongoing access to a sensitive secret), but that is a behavior of the instructions rather than an elevated platform privilege.
What to consider before installing
This skill appears to do what it says (create Feishu calendar events + video meetings) but there are two issues to consider before installing: (1) clarify where the access token should live — the SKILL.md expects a plaintext file at ~/.openclaw/workspace/feishu_tokens.md even though the registry declares no required credentials; (2) avoid storing long-lived tokens in plaintext. If you proceed, prefer using an OS or platform secret store (or environment variables with restricted scope), ensure file permissions are locked (chmod 600), limit OAuth scopes to the minimum needed, and rotate/revoke tokens after testing. Also verify the skill's publisher/source (there is no homepage) and ask the author to update the registry metadata to declare the required token and to document secure token handling.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9722nteczz4592w669ja0fjw582n35h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📅 Clawdis

SKILL.md

飞书日历 & 视频会议

通过飞书日历 API 创建事件,可选择关联飞书视频会议。

准备工作

1. OAuth 授权(首次)

需要获取 user_access_token,流程:

  1. 在飞书开放平台后台开通权限:
    • calendar:calendar
    • calendar:calendar.event:create
    • vc:meeting
  2. 配置重定向 URL(如 http://127.0.0.1:8080/callback
  3. 生成授权链接并让用户授权

2. Token 管理

  • access_token 有效期约 2 小时
  • refresh_token 有效期约 30 天
  • 过期后用 refresh_token 刷新

Token 保存在 ~/.openclaw/workspace/feishu_tokens.md

使用方式

创建日历会议(带视频会议)

# 参数
USER_TOKEN="xxx"  # 从 feishu_tokens.md 读取
CALENDAR_ID="feishu.cn_xxx@group.calendar.feishu.cn"

# 时间戳计算(明天 10:00-11:00 北京时间)
START_TS="1772071200"  # 2026-02-26 10:00:00
END_TS="1772074800"    # 2026-02-26 11:00:00

# 创建日历事件(带视频会议)
# 根据用户输入选择添加字段,不要添加用户未指定的字段

# 必填字段
JSON='{
  "start_time": {"timestamp": "'"$START_TS"'", "timezone": "Asia/Shanghai"},
  "end_time": {"timestamp": "'"$END_TS"'", "timezone": "Asia/Shanghai"},
  "summary": "会议标题",
  "vchat": {"vc_type": "vc"}
}'

# 可选:用户指定描述时添加
# "description": "描述内容"

# 可选:用户指定地点时添加
# "location": "地点"

curl -s -X POST "https://open.feishu.cn/open-apis/calendar/v4/calendars/${CALENDAR_ID}/events" \
  -H "Authorization: Bearer $USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d "$JSON"

参数说明

根据用户输入决定是否包含以下字段:

  • summary: 会议标题(必填)
  • description: 会议描述(用户指定时)
  • start_time: 开始时间(必填)
  • end_time: 结束时间(必填)
  • location: 会议地点(用户指定时)
  • vchat.vc_type: 设为 "vc" 创建视频会议

时间戳计算

import datetime
dt = datetime.datetime(2026, 2, 26, 10, 0, 0, tzinfo=datetime.timezone(datetime.timedelta(hours=8)))
timestamp = int(dt.timestamp())

获取用户日历 ID

curl -s "https://open.feishu.cn/open-apis/calendar/v4/calendars" \
  -H "Authorization: Bearer $USER_TOKEN"

返回的 calendar_id 即为主日历 ID

返回结果示例

成功创建后,返回要点:

  • 会议标题
  • 日期和时间
  • 会议链接

示例:

✅ 会议已创建!
📅 2026年2月27日 10:00-11:00
🎥 https://vc.feishu.cn/j/xxx

注意事项

  • 如果用户没有指定描述(description),不要添加额外的描述
  • 如果用户没有指定地点(location),不要添加

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…