feishuweng
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Feishu message-sending skill; users should notice that it needs Feishu app credentials and can send messages under that app.
Before installing, make sure the Feishu app credentials are limited to the recipients and permissions you intend, and only let trusted agents use this skill to send messages.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes the skill with the wrong recipient or content, a real Feishu message may be delivered.
The agent-supplied recipient and text are used to send a Feishu message. This is the skill's stated purpose, but it is still an outbound action under the configured app identity.
receive_id = params.get("receive_id", skill.default_receive_id)
return skill.send_msg(receive_id, params["text"])Use a narrowly scoped Feishu app/default recipient and require user confirmation in workflows where unintended messages would matter.
The skill can act with whatever Feishu messaging permissions the configured app has.
The skill requires a Feishu App Secret. That is expected for this integration, but it is a sensitive credential that grants delegated app authority, and the registry metadata lists no primary credential.
| APP_SECRET | 字符串 | 是 | 飞书应用的 App Secret |
Provide only a minimal-permission Feishu app secret, protect and rotate it, and install this only for agents trusted to send Feishu messages.