feishu-calendar-event
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-calendar-event Version: 1.0.0 The OpenClaw AgentSkills bundle for Feishu Calendar is benign. All code and documentation align with the stated purpose of managing Feishu calendar events. Network calls are exclusively directed to the legitimate Feishu API endpoint (`open.feishu.cn`). Credentials (`FEISHU_APP_ID`, `FEISHU_APP_SECRET`) are handled securely via environment variables, as specified in `SKILL.md` and `package.json`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` or `example.md` designed to subvert the agent's behavior beyond its intended function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If granted, the skill can affect real Feishu calendar data, including enterprise calendars if the app has those permissions.
The skill requires Feishu app credentials and permissions that can read and mutate calendar data, including deleting events. This matches the stated calendar-management purpose but is high-impact account authority.
开通以下权限: ... calendar:calendar.event:create ... calendar:calendar.event:update ... calendar:calendar.event:delete ... 获取凭证 ... App ID ... App Secret
Grant only the Feishu permissions you actually need, keep the App Secret out of source files, and require user confirmation before creating, updating, or deleting events.
A mistaken or over-broad agent action could create, modify, or delete the wrong calendar event.
The skill documents raw Feishu API operations for calendar mutations. These are expected for a calendar management skill, but write/delete API calls can have user-visible effects if invoked on the wrong event.
创建日程 POST ... 更新日程 PATCH ... 删除日程 DELETE
Use explicit calendar IDs, event IDs, and date ranges, and ask the user to confirm any update or delete operation.
A user relying only on registry metadata might not realize the skill needs Feishu credentials and network access to the Feishu API.
The registry metadata does not reflect the Feishu credentials and web_fetch usage documented in SKILL.md/package.json. The credential use is disclosed in the files, but the registry-level contract is incomplete.
Required env vars: none ... Primary credential: none ... Capability signals: No capability tags were derived.
Review SKILL.md and package.json before installing, and update registry metadata to declare FEISHU_APP_ID, FEISHU_APP_SECRET, and Feishu API/web_fetch usage.