Pywayne Lark Bot Listener
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running this with real credentials is granting the listener the ability to receive messages available to the bot and act through that bot account.
The skill expects Lark application credentials, which are sensitive and allow bot-level access to the Feishu/Lark integration.
listener = LarkBotListener(
app_id="your_app_id",
app_secret="your_app_secret"Use a least-privilege Lark bot app, avoid hardcoding secrets, store credentials in a secret manager or environment variables, and rotate them if exposed.
A broad or buggy handler could post unintended replies or files into Lark chats, including group chats.
The instructions document handler behavior that can automatically send chat messages or upload/send returned files/images.
listener.send_message(chat_id, f"已收到:{text}") ... 返回 `Path`: 自动上传并发送新图片Limit handlers with group_only/user_only where appropriate, validate generated outputs and returned files, and test in restricted chats before production use.
Using an unverified or wrong package could expose Lark credentials and message data to code outside this reviewed artifact.
The skill depends on an external Python module, while the provided artifact set contains no code files or install specification for that dependency.
from pywayne.lark_bot_listener import LarkBotListener
Install pywayne only from a trusted source, pin the exact version, review its provenance, and verify it before providing real Lark credentials.