Feishu Agent Mesh
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Feishu multi-agent relay blueprint, but it asks for bot secrets and agent session/invocation access while enabling autonomous cross-agent actions and persistent chat logging.
Treat this as infrastructure, not a simple chat helper. Install only if you can manage Feishu and OpenClaw credentials securely, restrict the Relay to approved chats and agents, require human approval for impactful actions, pin/review the Node dependencies, and disclose that backend agents may read and act on Feishu chat messages.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read or misuse the resulting config could impersonate or control Feishu bots, access logged chat data, or send work into agent sessions.
The skill instructs users to collect Feishu app secrets and OpenClaw session keys, then place them in a shared configuration workflow. These credentials can control bot identity, event decryption, logging, and agent session targeting.
飞书应用 | label, appId, appSecret, encryptKey, verificationToken ... Agent 会话 | agentId, sessionKey ... 并与团队共享
Use a secret manager instead of shared JSON/docs, restrict each app and token to least privilege, rotate credentials, declare required credentials in metadata, and avoid sharing raw session keys broadly.
A route, shared-state entry, or compromised Relay could cause agents on other hosts to run capabilities beyond what a human expected for a chat message.
The Relay is meant to call agent tool endpoints or CLI commands. The artifacts describe approvals for some checkpoints, but they do not clearly enforce user approval for every high-impact tool or CLI action.
机器人自身的调用入口(HTTP `/tools/invoke` URL 或 CLI 命令)及鉴权方式 | 让 Relay 能够执行具体能力
Require per-tool allowlists, explicit human approval for destructive or external-impact actions, dry-run previews, scoped service accounts, and audit logs tied to each invocation.
If one relay route, token, or agent endpoint is exposed, messages and tool requests could move laterally across the mesh.
The design connects agents across servers through a Relay and tool interfaces, but the artifacts do not define a strong inter-agent identity, request-signing, per-agent authorization, or network boundary model.
Worker Agents (OpenClaw instances) ... 各自暴露 `/tools/invoke`(或 CLI 接口)供 Relay 调用具体能力。- 定期向 Relay 报告可用能力、健康状态。
Use per-agent credentials, signed requests or mTLS, network allowlists, per-agent authorization policies, and reject unknown agents, chats, and callback origins by default.
Private chat content may be retained and reused across agents, and malicious or misleading chat text could poison shared context if agents later treat stored records as trusted instructions.
The helper server persists sender OpenIDs and raw message content to the configured Bitable log store. Those records are part of the shared context used by the multi-agent workflow.
[LOG_FIELDS_ACTOR]: openId, ... [LOG_FIELDS_CONTENT]: msgContent, ... await appendLog(record);
Redact sensitive content, restrict log access, set retention limits, separate audit logs from agent prompt context, sanitize retrieved messages, and treat all stored chat text as untrusted input.
Agents may continue reading shared state and acting on queued records until the polling jobs or Relay are stopped.
The design includes recurring background polling by each agent. This is disclosed and purpose-aligned, but it means the system keeps operating after initial setup.
在每个机器人实例里添加一个定时任务(60s 内),读取共享存储中“自己未处理”的记录。
Run workers under supervised service accounts, provide a kill switch, monitor queues, expire tasks, and disable polling when a project or chat integration is no longer needed.
Dependency changes or a bad package install could affect the callback server that processes secrets and chat events.
The setup asks users to install unpinned npm packages for a service that handles Feishu credentials and message data. This is user-directed and central to the helper script, but provenance should be controlled.
npm install express body-parser node-fetch crypto
Pin dependency versions, commit a lockfile, review the exact script before running, and avoid unnecessary packages such as npm `crypto` when the Node built-in module is intended.