Pywayne Lark Custom Bot
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Lark/Feishu messaging helper, but using it can post to chats and requires protecting bot credentials.
Before installing or using this skill, verify the pywayne package source, use the least-privileged Lark/Feishu bot credentials possible, and require user confirmation before sending messages to shared channels, uploading images, sharing chats, or using @all mentions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with real credentials, the agent could send messages or alerts to Lark/Feishu channels, including potentially disruptive @all notifications.
The skill documents sending Lark/Feishu messages, including @all notifications; this is purpose-aligned but can create visible messages and alerts in a workplace channel.
bot.send_text("重要通知!", mention_all=True)Use only with intended webhooks and confirm the destination, content, and any @all mentions before sending.
Anyone or any agent with these values may be able to send bot messages or upload images through the configured Lark/Feishu bot.
The documented setup uses a webhook, signing secret, and optional app credentials; these are expected for a Lark bot, but they grant bot-level access and are not declared as registry credentials.
webhook="your_webhook_url", secret="your_secret", bot_app_id="your_app_id", bot_secret="your_app_secret"
Provide only narrowly scoped bot credentials, avoid pasting real secrets into reusable transcripts or committed files, and rotate credentials if exposed.
The safety of the actual Python module used at runtime depends on whatever pywayne package is installed in the user's environment.
The reviewed artifacts do not include the implementation or an install source, while the skill instructions rely on an external pywayne module.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; No code files present
Install or use the pywayne package only from a trusted source and review its implementation separately if it will handle real webhooks or app secrets.