lark-calendar-litiao Security Report — Low Risk | ClawSafe

15 /100

lark-calendar-litiao

Create, update, and delete calendar events and tasks in Lark (Feishu)

Legitimate Lark calendar and task management skill with no malicious indicators; only accesses Lark API endpoints using documented credentials.

Skill Namelark-calendar-litiao

Duration55.1s

Enginepi

✓

Safe to install

Approve for use. Consider pinning dotenv to a specific version for better supply chain hygiene.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain The dotenv dependency is specified with a caret range (^17.2.3) rather than a pinned version. This allows automatic minor/patch updates which could introduce unexpected behavior. `"dotenv": "^17.2.3"` → Pin to a specific version: "dotenv": "17.2.3"	`package.json:13`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	lib/lark-api.mjs:25 - fetch() calls to https://open.feishu.cn/open-apis
Environment	`READ`	`READ`	✓ Aligned	lib/lark-api.mjs:14-17 - loads FEISHU_APP_ID and FEISHU_APP_SECRET
Filesystem	`NONE`	`READ`	✓ Aligned	lib/lark-api.mjs:14 - config() reads .secrets.env file for credentials
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke usage detected
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access detected

8 findings

🔗

Medium External URL 外部 URL

https://open.larksuite.com/document/server-docs/calendar-v4/calendar-event/create

SKILL.md:211

🔗

Medium External URL 外部 URL

https://open.larksuite.com/document/server-docs/calendar-v4/calendar-event-attendee/create

SKILL.md:212

🔗

Medium External URL 外部 URL

https://open.larksuite.com/document/server-docs/task-v2/task/create

SKILL.md:213

🔗

Medium External URL 外部 URL

https://open.larksuite.com/app/cli_a9f52a4ed7b8ded4/auth

SKILL.md:225

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis

lib/lark-api.mjs:24

🔗

Medium External URL 外部 URL

https://dotenvx.com

package-lock.json:24

📧

Info Email 邮箱地址

[email protected]

SKILL.md:26

📧

Info Email 邮箱地址

[email protected]

lib/calendar.mjs:9

File Tree

17 files · 55.7 KB · 1973 lines

JavaScript 13f · 1692L Markdown 1f · 229L JSON 3f · 52L

├─ ▾ 📁 lib

│ ├─ 📜 calendar.mjs JavaScript 310L · 9.5 KB

│ ├─ 📜 employees.mjs JavaScript 241L · 7.3 KB

│ ├─ 📜 lark-api.mjs JavaScript 142L · 3.8 KB

│ └─ 📜 task.mjs JavaScript 187L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 create-event.mjs JavaScript 124L · 4.0 KB

│ ├─ 📜 create-task.mjs JavaScript 109L · 3.1 KB

│ ├─ 📜 delete-event.mjs JavaScript 59L · 1.4 KB

│ ├─ 📜 delete-task.mjs JavaScript 55L · 1.1 KB

│ ├─ 📜 list-events.mjs JavaScript 93L · 2.5 KB

│ ├─ 📜 manage-attendees.mjs JavaScript 109L · 3.3 KB

│ ├─ 📜 manage-task-members.mjs JavaScript 105L · 3.0 KB

│ ├─ 📜 update-event.mjs JavaScript 83L · 2.2 KB

│ └─ 📜 update-task.mjs JavaScript 75L · 1.8 KB

├─ 📋 _meta.json JSON 5L · 132 B

├─ 📋 package-lock.json JSON 28L · 678 B

├─ 📋 package.json JSON 19L · 337 B

└─ 📝 SKILL.md Markdown 229L · 6.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`dotenv`	`^17.2.3`	npm	No	Version not pinned, minor supply chain concern

Security Positives

✓ All network requests go exclusively to legitimate Lark API endpoints (open.feishu.cn)

✓ Credentials are used only for API authentication, never exfiltrated

✓ No shell execution, subprocess, or command injection vulnerabilities

✓ No obfuscation techniques (base64, eval, etc.) detected

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env file scanning)

✓ No hidden functionality - code matches documented behavior

✓ Clear documentation of all capabilities in SKILL.md

✓ No prompt injection or jailbreak attempts

✓ Employee data is used only for name-to-user_id resolution within the tool

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives