Pywayne Lark Bot Listener
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for a Feishu/Lark bot listener, but users should verify the external library and use limited Lark bot credentials because it can read incoming bot messages and send replies.
Install or use this only if you need a Feishu/Lark bot listener. Before using real credentials, verify the pywayne package source and version, grant the bot only the permissions it needs, avoid hardcoding app_secret values, and test automatic replies or file uploads in a limited chat first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running this with real credentials is granting the listener the ability to receive messages available to the bot and act through that bot account.
The skill expects Lark application credentials, which are sensitive and allow bot-level access to the Feishu/Lark integration.
listener = LarkBotListener(
app_id="your_app_id",
app_secret="your_app_secret"Use a least-privilege Lark bot app, avoid hardcoding secrets, store credentials in a secret manager or environment variables, and rotate them if exposed.
A broad or buggy handler could post unintended replies or files into Lark chats, including group chats.
The instructions document handler behavior that can automatically send chat messages or upload/send returned files/images.
listener.send_message(chat_id, f"已收到:{text}") ... 返回 `Path`: 自动上传并发送新图片Limit handlers with group_only/user_only where appropriate, validate generated outputs and returned files, and test in restricted chats before production use.
Using an unverified or wrong package could expose Lark credentials and message data to code outside this reviewed artifact.
The skill depends on an external Python module, while the provided artifact set contains no code files or install specification for that dependency.
from pywayne.lark_bot_listener import LarkBotListener
Install pywayne only from a trusted source, pin the exact version, review its provenance, and verify it before providing real Lark credentials.