ClawHub

feishu-calendar-event

v1.0.0

飞书日历管理技能,支持获取日历列表、查询、创建、更新、删除日程事件及设置重复和多级提醒。

2· 940·7 current·9 all-time
by@teweitao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, package.json and calendar-client.js all describe a Feishu calendar client and use Feishu APIs — that matches the stated purpose. However the registry metadata lists no required env vars or primary credential while package.json.openclaw.config and SKILL.md require FEISHU_APP_ID and FEISHU_APP_SECRET. This metadata mismatch is incoherent and should be corrected.
Instruction Scope
SKILL.md and example.md instruct only to call official Feishu endpoints (token, calendar, events). They do not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints. However the docs encourage embedding credentials directly into code examples (code block and example), which is a bad practice and increases risk if users copy/paste credentials.
Install Mechanism
No network install/downloads or obscure installers are used — this is an instruction-only skill with a small JS client and package.json. No extract/download URLs or third-party installers present.
!
Credentials
The skill requires FEISHU_APP_ID and FEISHU_APP_SECRET to function (package.json.openclaw.config and SKILL.md). Those credentials are proportionate to the feature. But the registry metadata incorrectly lists no required env vars; calendar-client.js also provides hardcoded placeholder defaults in code which could encourage insecure practices. Requiring secrets is expected, but the inconsistent metadata and guidance to place secrets in code are problematic.
Persistence & Privilege
always is false, no config paths or platform-global changes requested, and the skill does not claim to modify other skills. Autonomous invocation remains enabled (platform default) but is not combined with other high-risk flags.
What to consider before installing
This skill is plausibly what it says (a Feishu calendar client) but there are packaging and guidance problems you should address before installing: 1) The registry metadata claims no required env vars, but package.json and SKILL.md require FEISHU_APP_ID and FEISHU_APP_SECRET — expect to provide those secrets. 2) Do NOT hardcode App Secret in source; use environment variables or a secret store. 3) Verify the referenced GitHub repo/source code (package.json points to a repo) and confirm the code hasn't been tampered with. 4) Check the Feishu app permissions being requested and grant the minimum necessary. 5) Run the skill in a constrained environment (no sensitive host credentials) until you’ve reviewed the code and validated behavior. If you need higher assurance, ask the publisher to fix the registry metadata and provide a signed release or repository link before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977k1fcv0ezd4ae2cgqj7tda1822xk8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments