feishuweng
AdvisoryAudited by VirusTotal on Mar 27, 2026.
Overview
Type: OpenClaw Skill Name: feishuweng Version: 1.0.0 The skill is a standard integration for sending messages via the Feishu (Lark) API. It uses official endpoints (open.feishu.cn) to obtain access tokens and send text messages based on user-provided configuration (APP_ID, APP_SECRET) and parameters. The logic in main.py and instructions in SKILL.md are consistent with the stated purpose and show no signs of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes the skill with the wrong recipient or content, a real Feishu message may be delivered.
The agent-supplied recipient and text are used to send a Feishu message. This is the skill's stated purpose, but it is still an outbound action under the configured app identity.
receive_id = params.get("receive_id", skill.default_receive_id)
return skill.send_msg(receive_id, params["text"])Use a narrowly scoped Feishu app/default recipient and require user confirmation in workflows where unintended messages would matter.
The skill can act with whatever Feishu messaging permissions the configured app has.
The skill requires a Feishu App Secret. That is expected for this integration, but it is a sensitive credential that grants delegated app authority, and the registry metadata lists no primary credential.
| APP_SECRET | 字符串 | 是 | 飞书应用的 App Secret |
Provide only a minimal-permission Feishu app secret, protect and rotate it, and install this only for agents trusted to send Feishu messages.