Feishu Power Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Feishu automation purpose, but its report scheduler includes an under-documented custom Python script runner that users should review before installing.
Install only if you need deep Feishu automation and can provide a least-privilege Feishu app. Review schedules before running them, especially any job with type custom or a script parameter, and test bulk updates or publishing in dry-run/local-output modes first.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A schedule file could cause the agent to run local Python code with the user's permissions, not just generate Feishu reports.
The report scheduler can execute a Python script path supplied in a YAML job. SKILL.md documents audit and template report types, so this custom script execution path is broader than a user would likely expect from the stated report generator.
def run_custom_report(job: Dict) -> Dict:
import subprocess
...
script = params["script"]
...
cmd = [sys.executable, script] + params.get("args", [])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
...
REPORT_RUNNERS = {
"audit": run_audit_report,
"template": run_template_report,
"custom": run_custom_report,
}Do not run schedules from untrusted sources. Remove or disable the custom runner unless it is explicitly needed, and require user confirmation before executing any custom script job.
The skill can create or update many Feishu table records and publish documents if given the relevant tokens and credentials.
The documented workflows include bulk Bitable mutations and publishing reports to Feishu. These are consistent with the skill's stated purpose, but they are high-impact account actions.
python3 scripts/bitable_engine.py batch-create --app <app_token> --table <table_id> --data records.json ... python3 scripts/bitable_engine.py batch-update --app <app_token> --table <table_id> --data updates.json ... python3 scripts/retail_audit.py demo --publish # 直接发布到飞书
Use dry-run or local-output modes first where available, verify app/table/folder tokens, and require explicit approval before bulk updates or publishing.
If broad Feishu app permissions are configured, the skill can read or change more workspace data than intended.
The skill obtains a Feishu tenant access token from app credentials. This is expected for Feishu automation, but it grants authority according to the Feishu app's configured scopes.
APP_ID = os.environ.get("FEISHU_APP_ID", "")
APP_SECRET = os.environ.get("FEISHU_APP_SECRET", "")
...
requests.post(
f"{BASE_URL}/auth/v3/tenant_access_token/internal",
json={"app_id": APP_ID, "app_secret": APP_SECRET},
timeout=10,
)Create a dedicated Feishu app with the minimum Bitable/Docx/Drive scopes needed, and avoid using high-privilege workspace credentials.
Installation changes the local Python environment and OpenClaw skill discovery path.
The installer installs unpinned packages and can link the skill into the OpenClaw skills directory. This is disclosed setup behavior, but the registry metadata says there is no install spec.
pip3 install --quiet requests pyyaml 2>/dev/null || pip install --quiet requests pyyaml ... ln -s "$SCRIPT_DIR" "$target"
Review install.sh before running it, consider installing dependencies in a virtual environment, and pin dependency versions for production use.
Local snapshot files may expose Feishu table contents or table identifiers if stored in shared, synced, or insecure folders.
The snapshot feature writes Feishu table records and the app token into a local JSON backup. This is purpose-aligned, but it creates a persistent local copy of potentially sensitive business data.
snapshot_data = {
"app_token": app_token,
"table_id": table_id,
...
"records": [{"record_id": r.get("record_id"), "fields": r.get("fields", {})} for r in records],
}
...
json.dump(snapshot_data, f, ensure_ascii=False, indent=2)Store snapshots in protected directories, avoid committing them to source control, and delete them when no longer needed.