Feishu Sheet Links
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Feishu-link extraction purpose, but it can reuse an existing logged-in Chrome session and has unsafe output filename handling that users should review before installing.
Use this only on Feishu documents and link lists you trust. Before using the download option, review the extracted URLs, choose a safe output directory, and avoid running it against an existing logged-in Chrome debugging session unless you intentionally want that session used.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Feishu page may be accessed using an existing browser session rather than a clean public-only context, which can blur the boundary between public scraping and authenticated account access.
The script prefers attaching to an already-running Chrome debug instance. That browser may have existing Feishu cookies or other logged-in state, while the skill is presented as working with public documents only.
const existingWs = await findExistingChrome(); ... if (existingWs) { cdp = await CdpSession.connect(existingWs); }Default to the isolated profile, make existing-session reuse opt-in, and clearly warn users when a logged-in Chrome profile may be used.
A malicious or unusual spreadsheet/link JSON could cause Markdown files to be written somewhere other than the folder the user selected.
The sheet/month name from the links JSON is used directly in a filesystem path, while only the title is sanitized. A crafted sheet name containing path separators could write outside the intended output directory.
let fname = `${month}-${slug}.md`; let fpath = path.join(outDir, fname); ... await writeFile(fpath, md, "utf-8");Sanitize the sheet name as well as the title, and verify the resolved output path remains inside the chosen output directory before writing.
If the spreadsheet contains unexpected links, the tool may automatically visit them during batch download.
The downloader opens every URL from the extracted links file in Chrome. This is expected for batch downloading, but it means spreadsheet-controlled links drive browser navigation.
for (const l of links) items.push({ month, text: l.text, url: l.url }); ... const { targetId } = await cdp.send<{ targetId: string }>("Target.createTarget", { url });Review the extracted URL list before downloading, and consider adding scheme/domain allowlists for Feishu article downloads.
The runtime used to execute the scripts may be fetched dynamically rather than coming from a pinned, preinstalled toolchain.
The workflow runs Bun through `npx -y` without a pinned version, while registry requirements do not declare Bun or Chrome as required binaries.
npx -y bun "${SKILL_DIR}/scripts/main.ts" "<spreadsheet-url>" -o feishu-links.jsonDeclare Bun and Chrome in metadata, prefer a locally installed Bun binary, and pin versions where practical.