data-analysis-for-feishu
v1.0.0๐ Powerful ECharts-based data visualization skill optimized for Feishu (Lark) ecosystem. Supports 12+ chart types, 6+ data sources (Excel/CSV/Bitable/Sheet/...
โญ 50ยท 85ยท0 currentยท0 all-time
byzane iris zhou@zzzanezhou0829
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Feishu-oriented ECharts visualizations) align with included files: data parsing, chart JSON generation, headless rendering (pyppeteer) and auto-analysis. Required capabilities (pandas, openpyxl, pyppeteer, optional Feishu JSON inputs) are consistent with the described feature set (Excel/CSV parsing, screenshot rendering, Feishu card JSON).
Instruction Scope
SKILL.md and scripts instruct only on parsing local data or user-provided Feishu JSON, generating chart options, and rendering screenshots or card JSON. The runtime does fetch ECharts from a CDN for rendering and the headless browser downloads Chromium on first run โ both are justified by the rendering requirements but are external network operations. The test script uses subprocess.run to exercise local commands; its commands are static in the repository. No instructions ask the agent to read unrelated system files, environment secrets, or to transmit data to unknown endpoints.
Install Mechanism
There is no formal install spec; the repo contains a requirements.txt listing pandas, openpyxl, requests, and pyppeteer. This is proportionate to the task, but pyppeteer will download a Chromium binary on first use (large download, network access). ECharts is loaded from jsdelivr CDN during rendering (external dependency). These network downloads are expected for local rendering but raise the usual risks of third-party resources (supply-chain/network availability).
Credentials
The skill does not request environment variables, API tokens, or config paths. Feishu integration is supported but implemented as accepting Feishu JSON inputs (bitable/sheet data) rather than requiring stored Feishu credentials โ so there is no unexpected credential request in the package.
Persistence & Privilege
Skill flags are standard (not always: true). The package does not attempt to modify other skills or system-wide configs. It runs as a normal skill with no elevated persistent privileges.
Assessment
This skill appears to do what it claims (parse data, recommend charts, render ECharts to PNG or generate Feishu card JSON). Before installing, consider: 1) Network downloads: the first run will download Chromium (pyppeteer) and the page renderer loads ECharts from jsdelivr โ this requires outbound network access and a ~100โ200MB download. 2) Sandbox flags: the headless browser is launched with --no-sandbox (common for some containerized environments) โ run the skill in a trusted or isolated environment if you are concerned. 3) Dependencies: install requirements in a virtualenv to avoid polluting system Python. 4) Running tests: test.py uses subprocess.run with shell=True to invoke the bundled scripts โ avoid modifying those commands with untrusted input. 5) Feishu integration: interactive card mode only emits JSON; the skill does not itself send messages to Feishu or store tokens โ you'll need to handle sending and permissions separately. If you need stronger assurance, review the remaining truncated files (sending code, network calls) or run the code in an isolated VM/container first.Like a lobster shell, security has layers โ review code before you run it.
latestvk970qmtr47nwxqksxm3v2zfsjx84h68r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.