feishu-smart-alarm
v1.0.0读取飞书/Lark 消息文本,识别是否包含需要提醒的待办和截止时间,并在由系统根据消息语义和时间跨度自动判断,更偏宽松一点的预留时间发出一次提醒。适用于飞书机器人在私聊或群聊中处理诸如“今天 5 点前给我”“明天下午三点提醒我”“周五前记得提交”这类消息;默认提醒给原消息发送者,并将提醒发回原飞书会话。识别成功后...
⭐ 0· 126·0 current·0 all-time
byHeiMaoM@hei-maom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the implementation: the code parses Chinese time expressions, decides reminder lead time, stores reminders in a local SQLite DB, and calls the Feishu API to send confirmation and reminder messages. Required env vars (FEISHU_APP_ID, FEISHU_APP_SECRET) are appropriate for this purpose.
Instruction Scope
SKILL.md and CLI commands limit behavior to analyzing message text, creating local reminders, sending confirmations, and polling/sending due reminders. The code does load .env files (cwd and repo root) into os.environ at runtime — this means any .env placed beside the skill could influence behavior (e.g., override FEISHU_BASE_URL or supply other envs). Otherwise the instructions do not direct reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism
There is no install spec; the package is run as Python scripts. requirements.txt only lists requests>=2.31.0, which is proportionate. No remote downloads or extracted archives are specified.
Credentials
The declared required credentials are FEISHU_APP_ID and FEISHU_APP_SECRET — appropriate and minimal for sending messages via Feishu. Optional FEISHU_BASE_URL can override the API host; if set maliciously it could receive tokens (this is a general risk whenever base URLs are overridable). The code also reads .env files automatically, which could surface other secrets if run in a directory with unexpected .env files.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It persists data to a local SQLite DB and offers a long-running polling loop to send reminders — this is expected for this functionality and within scope.
Assessment
This skill appears to implement exactly what it claims: parsing Chinese time expressions, storing reminders locally, and using Feishu credentials to send messages. Before installing, consider: 1) Provide a dedicated Feishu app account with minimal permissions (only what’s needed to send messages) and avoid reusing high-privilege credentials. 2) Run the skill in an isolated environment or container so its automatic .env loading cannot pick up unrelated secrets from the host. 3) Ensure FEISHU_BASE_URL is not overridden to an untrusted endpoint; the default is https://open.feishu.cn. 4) Secure or relocate the SQLite DB path (FEISHU_SMART_ALARM_DB) if the reminders contain sensitive content. 5) Review the code (time parsing, API calls, and the polling loop) yourself if you have additional trust requirements. If you cannot review code, restrict credentials and run under least privilege.Like a lobster shell, security has layers — review code before you run it.
latestvk9799y5bvdybjhynpta6zdab1n8334jc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.