Feishu Sheets Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Feishu Sheets integration, but it can use Feishu app credentials to read, change, and delete spreadsheet content.
Install this only if you want the agent to operate Feishu Sheets. Configure a dedicated least-privilege Feishu app, keep FEISHU_APP_ID and FEISHU_APP_SECRET protected, and double-check any write or delete operation before it is run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could modify or delete rows, columns, or worksheets in Feishu Sheets when asked to perform those actions.
The skill intentionally exposes spreadsheet mutation and deletion operations. This is aligned with a Sheets-management tool, but mistakes or unintended invocations could change or remove user data.
Supports: create spreadsheet, write/read cell values, append rows, insert/delete rows/columns, manage worksheets.
Use the skill only for intended Feishu Sheets tasks and review requests carefully before allowing destructive actions such as delete_dimension or delete_sheet.
Anyone configuring this skill must provide Feishu app credentials that can access spreadsheets allowed by that Feishu app's scopes.
The script uses Feishu app credentials to obtain and use a tenant access token. That is expected for Feishu API access, but it gives the skill delegated account authority.
self.app_id = os.getenv("FEISHU_APP_ID")
self.app_secret = os.getenv("FEISHU_APP_SECRET")
...
"Authorization": f"Bearer {self._get_token()}"Use a dedicated Feishu app with least-privilege scopes and avoid sharing credentials beyond the environment needed for this skill.
Users may not realize from metadata alone that Feishu app credentials are needed before the tool can work.
The registry metadata does not declare the credential/env-var setup that the included script relies on. This is a transparency/setup gap, not evidence of hidden execution or malicious behavior.
Required env vars: none Env var declarations: none Primary credential: none Install specifications: No install spec — this is an instruction-only skill.
Document FEISHU_APP_ID, FEISHU_APP_SECRET, and any Python dependency requirements in the skill metadata or setup instructions.