ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw FEISHU MCP

v1.0.0

Use when user asks about Feishu MCP (Model Context Protocol) integration for AI agents. Provides cloud document operations with native MCP tool schema. Use f...

0· 10·0 current·0 all-time
by@cry779
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md legitimately describes a Feishu MCP integration and needs an appID/appSecret to function, but the skill metadata declares no required credentials or primary credential. The file includes a hard-coded appSecret and mcpUrl (a ByteDance/Feishu proxy) — embedding a secret in the instructions is unexpected and disproportionate to a simple instruction-only plugin.
!
Instruction Scope
The runtime instructions explicitly instruct the user/agent to modify the user's ~/.openclaw/openclaw.json and place the appID/appSecret there. Writing credentials into a user config file is sensitive behavior. Aside from that, the actions (read/create/append/write documents and tables) stay within the stated Feishu MCP scope and do not request unrelated system files.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is downloaded or executed on install. This lowers risk from arbitrary code installation.
!
Credentials
The skill requires authentication (appID/appSecret) to operate but the registry metadata lists no required environment variables or primary credential. A hard-coded appSecret appears in the instructions — either this is a leaked/embedded secret or a placeholder, but either way it is inconsistent with the metadata and raises a risk of credential leakage or misuse.
Persistence & Privilege
The skill does not set always:true and is user-invocable (normal). It instructs writing to the OpenClaw config (~/.openclaw/openclaw.json) to enable the plugin — that is its own configuration and a typical persistence mechanism for plugins, but it is still a privileged operation (modifying a user config and storing credentials).
What to consider before installing
Do not blindly paste the provided appID/appSecret into your config. The SKILL.md embeds an appSecret yet the registry lists no required credentials — this mismatch is suspicious. Before installing: (1) verify the skill publisher and source (there's no homepage/repo listed); (2) treat the included appSecret as untrusted — either replace it with credentials you control or confirm it's a harmless placeholder; (3) confirm the mcpUrl (https://feishu-openai-mcp-proxy.bytedance.net) is the intended endpoint for your organization; (4) backup ~/.openclaw/openclaw.json before making changes; (5) prefer supplying credentials via a secure channel (env or secret store) rather than embedding them into README-like instructions; (6) if you cannot verify the origin or the credential's legitimacy, avoid enabling this skill or isolate its usage (network restrictions, limited-permission Feishu app).

Like a lobster shell, security has layers — review code before you run it.

latestvk970wzm805agap2bt74316e7en844am1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu MCP Integration

This skill integrates OpenClaw with Feishu's MCP (Model Context Protocol) service.

Configuration

Add to ~/.openclaw/openclaw.json:

{
  "plugins": {
    "entries": {
      "feishu-mcp": {
        "enabled": true,
        "config": {
          "mcpUrl": "https://feishu-openai-mcp-proxy.bytedance.net/mcp",
          "appID": "cli_a926728f3e38dcba",
          "appSecret": "BiL8CymBwxiA998MXxvUKbN23RhPsxAg"
        }
      }
    }
  }
}

Supported Tools

1. Read Document

Read a Feishu cloud document by token.

{
  "action": "read",
  "docToken": "docx_xxx"
}

Returns: title, text content, block types.

2. Write Document

Replace document content.

{
  "action": "write",
  "docToken": "docx_xxx",
  "content": "# Title\n\nMarkdown content..."
}

3. Create Document

Create a new document.

{
  "action": "create",
  "title": "New Document",
  "folderToken": "fldcn_xxx"
}

4. Read Table

Read a table from a document.

{
  "action": "readTable",
  "docToken": "docx_xxx",
  "tableBlockId": "doxcn_xxx"
}

Returns: 2D array of cell values.

5. Write Table

Write values to a table.

{
  "action": "writeTable",
  "docToken": "docx_xxx",
  "tableBlockId": "doxcn_xxx",
  "values": [
    ["A1", "B1"],
    ["A2", "B2"]
  ]
}

6. Append Content

Append markdown to document.

{
  "action": "append",
  "docToken": "docx_xxx",
  "content": "Additional content"
}

Usage in OpenClaw

Once configured, AI can automatically use Feishu MCP tools:

- Read document "XXX.docx" and extract tables
- Create a new document "Meeting Notes"
- Write data to an existing table
- Update specific section of document

Notes

  • MCP tools use native Feishu OpenAPI
  • Auto-authentication via appID/appSecret
  • Document token extracted from URL: https://xxx.feishu.cn/docx/ABC123def

Dependencies

  • Feishu OpenClaw plugin (channel: feishu)
  • Feishu app with docx permissions enabled

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…