feishu-calender
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only Feishu calendar skill is purpose-aligned, but it can use tenant credentials to change or delete meetings, invite attendees, and monitor calendar changes without clear scoping or confirmation guidance.
Review this skill before use if it will connect to a real Feishu tenant. Grant only the minimum calendar scopes, require user confirmation for any create/update/delete/invite action, and ensure calendar-change webhooks are authenticated, limited to approved calendars, and easy to disable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Feishu tenant token with these permissions could let the agent access availability data and create, modify, subscribe to, or delete calendar resources within the granted scope.
The skill requires a tenant access token with calendar read, mutation, and subscription permissions. This is relevant to the purpose, but it is high-impact account authority and the registry declares no primary credential or required environment variables.
required_permissions:
- calendar:calendar
- calendar:calendar.free_busy:read
- calendar:calendar:subscribe ... Authorization: Bearer {tenant_access_token}Use a least-privileged Feishu app/token, make the credential requirement explicit, verify the exact granted scopes, and test with non-critical calendars before using it on production or company-wide calendars.
If invoked with the wrong IDs or assumptions, the agent could alter or delete meetings or send invitations/reminders to other users.
The instructions expose raw API operations for updating, deleting, and inviting attendees, but do not specify approval, dry-run, rollback, or calendar/attendee scoping controls.
PATCH /open-apis/calendar/v4/calendars/:calendar_id/events/:event_id ... DELETE /open-apis/calendar/v4/calendars/:calendar_id/events/:event_id ... POST .../attendees?user_id_type=open_id
Require explicit user confirmation before creating, updating, deleting, subscribing, or inviting attendees, and show a summary of affected calendars, events, users, and times before making changes.
Calendar-change information could be continuously sent to or processed by an insufficiently defined webhook workflow, exposing sensitive schedule patterns or business activity.
The skill describes ongoing calendar-change subscriptions via webhook, including monitoring key personnel, but does not define the webhook endpoint, authentication, origin validation, consent model, or data-retention boundaries.
POST /open-apis/calendar/v4/calendars/:calendar_id/subscribe ... 实时感知关键人员的日程变动并调整后续任务。需要配置事件回调(Webhook)。
Only subscribe to calendars with authorization, use Feishu webhook signature validation and HTTPS, document the callback destination, limit retention, and provide a clear way to unsubscribe.