Feishu Webhook
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and appears to do what it says: send user-provided Markdown text to a configured Feishu webhook.
This skill looks safe for its stated purpose. Before installing, confirm the Feishu webhook points to the intended channel or DM, keep the webhook URL and secret private, and instruct the agent not to send sensitive information unless you want it posted there.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the user or agent passes into the script may be posted to a Feishu channel or DM.
The script sends all provided stdin content to the configured Feishu webhook. This is the intended function, but it is an external message/data flow.
content = sys.stdin.read().strip() ... conn.request("POST", u.path, json.dumps(payload, ensure_ascii=False).encode(), {"Content-Type": "application/json"})Only send content intended for that Feishu destination, and avoid including secrets or private data unless the channel is appropriate.
Whoever can use the configured environment can post messages through that Feishu bot/webhook.
The skill documents use of a webhook URL and secret, and the code reads them from environment variables. These credentials are expected for Feishu webhook posting, though the registry metadata lists no required env vars or primary credential.
"FEISHU_WEBHOOK_URL": "https://open.feishu.cn/open-apis/bot/v2/hook/xxx", "FEISHU_WEBHOOK_SECRET": "your_secret"
Configure a least-privilege Feishu webhook, protect the webhook URL and secret, and rotate them if they are exposed.