ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-task-integration-skill

飞书任务对接集成技能,实现待办事项与飞书任务的双向同步。自动创建飞书任务、智能解析时间表达式、设置任务负责人,支持任务状态同步和完成管理。使用场景:需要将本地待办事项同步到飞书任务、设置任务截止时间、指派任务负责人、跟踪任务完成状态。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 324 · 2 current installs · 2 all-time installs
by@showdownagain
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (two-way sync between local todos and Feishu tasks) is plausible, but the implementation contains surprising artifacts: the code reads credentials from environment variables (FEISHU_APP_ID / FEISHU_APP_SECRET) and from a hardcoded file path (/home/gary/.openclaw/workspace/feishu_config.json) even though the registry metadata declares no required env vars or config paths. The feishu_task_integration.py also hardcodes a current_user_id (ou_19c0ea...) and refers to a specific 'yangbin' user — behavior that is not justified by the generic description and looks like personal/test scaffolding left in production code.
!
Instruction Scope
SKILL.md instructs using a local feishu_config.json and running todo_handler.py, but the actual scripts reference absolute paths under /home/gary/.openclaw/workspace and attempt to read/write todo_data.json there. The SKILL.md does not mention the hardcoded path or the default addition of a specific user as follower/assignee. The runtime instructions and the code's file/credential access are therefore inconsistent and broader in scope than documented.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded or installed automatically. That reduces install-time risk. However, code files are included in the skill package and will run when executed.
!
Credentials
Registry metadata declared no required environment variables, but the code reads FEISHU_APP_ID, FEISHU_APP_SECRET (and optionally FEISHU_ASSIGNEE_USER_ID per references) from environment variables and/or a config file. That mismatch is problematic. Additionally, the code contains hardcoded sensitive-looking placeholders and a concrete open_id for a specific user (yangbin/current_user_id) which is disproportionate for a general-purpose integration and may cause unintended sharing of tasks with that account.
Persistence & Privilege
The skill does not request elevated platform privileges or set always: true. It persists todo and config files to disk (and in some scripts to absolute paths in /home/gary/.openclaw/workspace). Writing user files is expected for a todo-sync skill, but the use of another user's absolute home path is odd and could cause accidental reads/writes outside the intended working directory.
What to consider before installing
This skill is suspicious but not clearly malicious. Before installing or running it: - Don't run it unmodified in a production account. Inspect and (preferably) use the cleaned scripts (the _clean.py files) and remove any hardcoded IDs or absolute paths. - Provide credentials only via a secure feishu_config.json that you control or via environment variables; ensure the registry metadata correctly declares required env vars. - Remove or change the hardcoded current_user_id and 'yangbin' references so the skill does not automatically add an unrelated third-party account as follower/assignee. - Update file paths to use relative/workspace locations (or configurable paths) instead of /home/gary/… to avoid accidental access to another user's files. - Review network behavior: the scripts call open.feishu.cn endpoints (expected), but you should confirm you intend to send your todo data there. - If you need to trust this skill, run it in an isolated environment first (local VM or test account), verify it only uses the credentials you supplied, and rotate credentials after testing. If you want, I can point out the exact lines with hardcoded paths/IDs and suggest safe edits to make before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9720ew2jd1ayha1ag5gqnxfy18207tg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

飞书任务对接集成

功能概述

飞书任务对接集成技能实现了本地待办事项系统与飞书任务平台的无缝对接,提供智能化的任务管理和同步功能。

核心能力

1. 自动任务创建

  • 使用 todo任务内容 命令自动创建飞书任务
  • 自动设置任务负责人和关注人
  • 生成任务唯一标识符和访问链接

2. 智能时间解析

  • 支持自然语言时间表达:"今天"、"明天"、"本周"、"下周"、"本月"
  • 支持具体时间:"下午3点"、"晚上11点"
  • 自动转换为标准时间戳格式

3. 任务负责人管理

  • 自动指派任务给配置的用户
  • 支持多人协作(关注人和负责人分离)
  • 符合飞书任务API规范

4. 状态同步

  • 本地完成任务自动同步到飞书
  • 实时获取任务完成状态
  • 双向数据一致性保证

快速开始

基本使用

# 创建任务(自动同步到飞书)
todo完成项目报告

# 查看任务列表
todo

# 完成任务(同步到飞书)
done0

时间表达式示例

# 今天截止
todo今天完成文档整理

# 明天截止  
todo明天提交周报

# 本周截止
todo本周完成项目总结

# 具体时间
todo今天晚上8点之前完成演示准备

配置说明

必要配置

feishu_config.json 中配置以下信息:

{
  "app_id": "your_app_id",
  "app_secret": "your_app_secret", 
  "assignee_user_id": "ou_your_user_id"
}

获取配置信息

  1. App ID & Secret: 在飞书开发者后台创建应用获取
  2. User ID: 用户的open_id,格式为 ou_xxxxxxxx

技术实现

文件结构

  • todo_handler.py - 主处理器,处理todo命令
  • feishu_task_integration.py - 飞书任务API集成
  • feishu_config.json - 配置文件

API集成

  • 使用飞书任务v2 API
  • 正确的字段命名:membersassignee_list
  • 符合飞书API规范和权限要求

故障排除

常见问题

  1. 任务创建失败: 检查API密钥和用户ID配置
  2. 负责人设置无效: 确认用户ID格式正确(ou_开头)
  3. 时间解析错误: 使用标准时间表达格式

调试信息

查看详细日志输出:

python3 todo_handler.py "todo测试任务" 2>&1

资源文件

scripts/

包含核心功能脚本:

  • todo_handler.py - 待办事项处理器
  • feishu_task_integration.py - 飞书API集成

references/

包含参考文档:

  • api_guide.md - 飞书任务API使用指南
  • configuration.md - 详细配置说明

assets/

包含配置文件模板:

  • feishu_config_template.json - 配置文件模板

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…