feishu-calender
v1.0.0飞书日历日程管理 Skill。创建日历/日程、查询空闲忙状态、订阅日历变更。当需要自动安排会议、查询时间冲突或监控日程变动时使用此 Skill。
⭐ 0· 869·7 current·7 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes Feishu Calendar APIs and operations (create calendars/events, free/busy queries, subscribe/webhook). That purpose aligns with the name and description. However, the skill does not declare or require the tenant access token or any API credential even though all API calls require Authorization: Bearer {tenant_access_token}, creating a clear capability–requirement mismatch.
Instruction Scope
Instructions are specific to Calendar v4 endpoints and do not ask the agent to read unrelated local files or system state. But they explicitly reference an Authorization header with a tenant_access_token and describe setting up webhooks (callback endpoints). The SKILL.md does not explain where the token comes from or how webhook callbacks should be secured, which leaves important runtime behavior undefined and grants the agent broad discretion to use an unstated secret.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an install/execution perspective because nothing will be downloaded or written by default.
Credentials
The skill requests no environment variables or primary credential, yet its examples and auth header require a tenant_access_token (sensitive). Required_permissions lists Feishu calendar scopes (OAuth-like scopes) but there is no declared mechanism to supply or limit the token. The absence of declared credentials is disproportionate to the skill's need for an auth token and should be remedied.
Persistence & Privilege
The skill is not set to always:true and does not request persistent platform privileges. It is user-invocable and allows autonomous invocation (default), which is normal for skills. Nothing in the skill requests modification of other skills or system-wide config.
What to consider before installing
This skill appears to be an instruction-only integration for Feishu Calendar, but it omits how the agent will obtain and store the tenant_access_token (the bearer token required by all API calls). Before installing or enabling it, ask the publisher to (1) declare a primary credential (tenant_access_token) or a secure OAuth flow, (2) explain how webhook callbacks should be registered and secured (to avoid exposing endpoints), and (3) confirm minimal required scopes and token lifetime. Because the source and homepage are unknown, avoid providing long-lived or high-privilege tokens until you can verify the author and see a clear credential-handling plan.Like a lobster shell, security has layers — review code before you run it.
latestvk97231ek3d5w9ekb64xyn2krwx812m2p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.