Feishu Task Manager
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned for managing Feishu tasks, but it uses Feishu app credentials and can create, update, and delete task data, so users should scope permissions carefully.
This skill is reasonable for Feishu task management if you intend to let OpenClaw read and modify Feishu tasks. Before installing, verify the source, use a dedicated Feishu app with only the required scopes, protect the app secret, and confirm any delete or major update action before allowing it to run.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it must provide app credentials that can read and modify Feishu tasks within the permissions granted to the Feishu app.
The skill uses Feishu application credentials and task read/write permissions. This is expected for a Feishu task manager, but it grants delegated authority over task data.
设置以下环境变量(或在调用时传入): export FEISHU_APP_ID="cli_xxxxx" export FEISHU_APP_SECRET="xxxxxxxx" 确保飞书应用已申请以下权限: - `task:task:write` - 创建、更新、删除任务 - `task:task:readonly` - 读取任务信息
Use a dedicated least-privilege Feishu app, grant only the needed task scopes, protect FEISHU_APP_SECRET, and remove or rotate the secret if the skill is no longer used.
A mistaken or overly broad agent action could modify, complete, or delete real Feishu tasks.
The helper can update and delete Feishu tasks. These actions match the stated task-management purpose, but they are high-impact account mutations if invoked with the wrong task ID or user intent.
def update_task(self, task_id: str, **kwargs) -> Dict:
...
return self._make_request('PATCH', endpoint, data)
def delete_task(self, task_id: str) -> Dict:
endpoint = f'/task/v2/tasks/{task_id}'
return self._make_request('DELETE', endpoint)Require clear user confirmation for delete, completion, reassignment, and other destructive or high-impact updates; verify task IDs and assignees before execution.
Installing from an unpinned repository could fetch code different from the reviewed package.
The README documents manual installation from a mutable GitHub branch rather than a pinned release or commit. This is not automatically executed by the skill, but it affects provenance if users follow the setup instructions.
git clone https://github.com/youyoude/feishu-task.git cp -r feishu-task ~/.openclaw/skills/
Install from a trusted release or pinned commit and review the files before copying them into the OpenClaw skills directory.