Feishu Webhook
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the user or agent passes into the script may be posted to a Feishu channel or DM.
The script sends all provided stdin content to the configured Feishu webhook. This is the intended function, but it is an external message/data flow.
content = sys.stdin.read().strip() ... conn.request("POST", u.path, json.dumps(payload, ensure_ascii=False).encode(), {"Content-Type": "application/json"})Only send content intended for that Feishu destination, and avoid including secrets or private data unless the channel is appropriate.
Whoever can use the configured environment can post messages through that Feishu bot/webhook.
The skill documents use of a webhook URL and secret, and the code reads them from environment variables. These credentials are expected for Feishu webhook posting, though the registry metadata lists no required env vars or primary credential.
"FEISHU_WEBHOOK_URL": "https://open.feishu.cn/open-apis/bot/v2/hook/xxx", "FEISHU_WEBHOOK_SECRET": "your_secret"
Configure a least-privilege Feishu webhook, protect the webhook URL and secret, and rotate them if they are exposed.