feishu-calender
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Feishu tenant token with these permissions could let the agent access availability data and create, modify, subscribe to, or delete calendar resources within the granted scope.
The skill requires a tenant access token with calendar read, mutation, and subscription permissions. This is relevant to the purpose, but it is high-impact account authority and the registry declares no primary credential or required environment variables.
required_permissions:
- calendar:calendar
- calendar:calendar.free_busy:read
- calendar:calendar:subscribe ... Authorization: Bearer {tenant_access_token}Use a least-privileged Feishu app/token, make the credential requirement explicit, verify the exact granted scopes, and test with non-critical calendars before using it on production or company-wide calendars.
If invoked with the wrong IDs or assumptions, the agent could alter or delete meetings or send invitations/reminders to other users.
The instructions expose raw API operations for updating, deleting, and inviting attendees, but do not specify approval, dry-run, rollback, or calendar/attendee scoping controls.
PATCH /open-apis/calendar/v4/calendars/:calendar_id/events/:event_id ... DELETE /open-apis/calendar/v4/calendars/:calendar_id/events/:event_id ... POST .../attendees?user_id_type=open_id
Require explicit user confirmation before creating, updating, deleting, subscribing, or inviting attendees, and show a summary of affected calendars, events, users, and times before making changes.
Calendar-change information could be continuously sent to or processed by an insufficiently defined webhook workflow, exposing sensitive schedule patterns or business activity.
The skill describes ongoing calendar-change subscriptions via webhook, including monitoring key personnel, but does not define the webhook endpoint, authentication, origin validation, consent model, or data-retention boundaries.
POST /open-apis/calendar/v4/calendars/:calendar_id/subscribe ... 实时感知关键人员的日程变动并调整后续任务。需要配置事件回调(Webhook)。
Only subscribe to calendars with authorization, use Feishu webhook signature validation and HTTPS, document the callback destination, limit retention, and provide a clear way to unsubscribe.