headteacher
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for setting up a teacher workspace, but users should notice that it can use Feishu account access, modify class databases, and handle sensitive student records.
This skill appears purpose-aligned, but install it only from a trusted source, use a controlled Python environment, connect a least-privileged Feishu account, preview schema/bootstrap plans before writes, and be cautious when importing or generating documents that contain student or family personal information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent may create Feishu Bases, tables, fields, views, and local files for the class workspace.
The skill is allowed to run local commands and uses them to bootstrap Feishu Base workspaces. This is disclosed and central to the purpose, but it can modify a third-party workspace.
allowed-tools: Read, Write, Edit, Bash ... python3 tools/feishu_bootstrap.py bootstrap --workspace-name "<class-name>"
Ask the agent to show the execution plan and target workspace before bootstrapping or importing data, especially for existing Feishu Bases.
The connected Feishu account or plugin permissions determine what Bases the agent can create, inspect, or modify.
The skill relies on Feishu account access through either lark-cli or the OpenClaw Feishu plugin. This is expected for Feishu Base management, but it is delegated account authority.
If `lark-cli` is not configured, guide: `lark-cli config init --new` ... create the workspace through the plugin's Feishu Base API tools
Use a least-privileged Feishu account or workspace, verify the official plugin/CLI configuration, and avoid granting broader tenant permissions than needed.
Class records and generated artifacts may contain private information about students and families.
The data model is designed to store sensitive student, guardian, grade, conduct, and communication records. This fits the headteacher purpose but requires careful privacy handling.
guardian_1_phone ... guardian_2_phone ... national_id ... address ... scores, conduct, daily observations, parent communication
Import only necessary fields, restrict Feishu sharing, review generated documents before syncing, and avoid storing national IDs or addresses unless required.
Future installs may resolve to newer package versions than those originally tested.
The Python dependencies use lower-bound version ranges rather than pinned hashes or exact versions. This is common, but dependency behavior can change over time.
requests>=2.28.0 ... python-docx>=1.1.0 ... openpyxl>=3.1.0 ... python-pptx>=0.6.23
Install in a virtual environment and consider pinning dependency versions for production or school-managed environments.