feishu-im
v1.0.0飞书消息与群管理 Skill。发送消息、建群、置顶、加急、撤回、群菜单/Tab/公告等 25+ 项 IM 能力。当需要通过飞书发送消息、管理群聊、操作群成员或配置群功能时使用此 Skill。
⭐ 0· 840·12 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description and the runtime instructions align: all APIs and actions (send messages, create chats, pins, reactions, menus, tabs, widgets, feed cards, tags, urgent messages, etc.) are consistent with a Feishu IM management skill.
Instruction Scope
Runtime instructions explicitly require Authorization: Bearer {tenant_access_token} and detail many write operations (sending messages, creating chats, adding members, updating announcements, feed cards, tags, urgent pushes). The SKILL.md does not instruct reading unrelated files, but it does not explain where or how to obtain/provide the required tenant_access_token, nor does the metadata declare this secret — the instructions therefore expect use of sensitive credentials that are not surfaced in the skill manifest.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk and there is no package download risk.
Credentials
Metadata lists no required env vars or primary credential, yet the instructions require a tenant_access_token (sensitive) and the SKILL.md lists many high-privilege Feishu IM scopes (most are write-only). The absence of any declared credential in the manifest is disproportionate and inconsistent with the operations the skill describes.
Persistence & Privilege
always is false and the skill is instruction-only with no install/persistence. It does not request permanent presence or modify other skills' config; however, allowing autonomous invocation (platform default) combined with broad write scopes would increase blast radius if credentials are provided.
What to consider before installing
Before installing or enabling this skill: 1) Confirm the source/owner and ask for a homepage or repository — the published metadata lacks a homepage and source details. 2) Do not provide admin-level or broad tenant tokens. The SKILL.md requires a tenant_access_token but the manifest declares no env var — ask the developer to declare required environment variables and to document least-privilege scopes. 3) If you must test, create a scoped test app in a non-production tenant with only the minimal Feishu permissions needed for your scenario and rotate the token after testing. 4) Review and limit write permissions (message send/recall/pins, chat member write, announcement write, urgent, feed/tag writes, etc.) — these allow sending messages and modifying groups and could be used to spam or exfiltrate data. 5) Prefer to run in a staging environment first and require the developer to explain how tokens are obtained, stored, and rotated. If the developer cannot justify the missing credential declaration and the wide write scopes, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk976re628tz4w06n373rkww45d811r32
License
MIT-0
Free to use, modify, and redistribute. No attribution required.