lark-integration
Integrates Lark messaging with OpenClaw for seamless bidirectional communication, supporting rich content and document access.
Install this skill
Security score
The lark-integration skill was audited on Feb 9, 2026 and we found 25 security issues across 3 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 143 | - Check webhook URL is accessible: `curl http://YOUR_IP:3000/health` |
Webhook reference - potential data exfiltration
| 3 | description: Connect Lark (Feishu) messaging to OpenClaw via webhook bridge. Supports text, rich text (post), and image messages bidirectionally. Use when setting up Lark/Feishu as a messaging channel |
Webhook reference - potential data exfiltration
| 20 | node bridge-webhook.mjs |
Webhook reference - potential data exfiltration
| 22 | # 3. Configure Lark webhook URL in developer console |
Webhook reference - potential data exfiltration
| 24 | # URL: http://YOUR_SERVER_IP:3000/webhook |
Webhook reference - potential data exfiltration
| 30 | Lark App ──webhook──► Bridge (port 3000) ──WebSocket──► OpenClaw Gateway |
Webhook reference - potential data exfiltration
| 58 | | `WEBHOOK_PORT` | No | Webhook listen port (default: 3000) | |
Webhook reference - potential data exfiltration
| 81 | ### bridge-webhook.mjs |
Webhook reference - potential data exfiltration
| 83 | Main webhook bridge. Receives Lark events, forwards to OpenClaw, sends replies. |
Webhook reference - potential data exfiltration
| 86 | FEISHU_APP_ID=cli_xxx node scripts/bridge-webhook.mjs |
Webhook reference - potential data exfiltration
| 143 | - Check webhook URL is accessible: `curl http://YOUR_IP:3000/health` |
Webhook reference - potential data exfiltration
| 144 | - Verify webhook in Lark console shows "Verified" |
Access to hidden dotfiles in home directory
| 14 | echo "FEISHU_APP_ID=cli_xxx" >> ~/.openclaw/workspace/.env |
Access to hidden dotfiles in home directory
| 15 | mkdir -p ~/.openclaw/secrets |
Access to hidden dotfiles in home directory
| 16 | echo "your_app_secret" > ~/.openclaw/secrets/feishu_app_secret |
Access to hidden dotfiles in home directory
| 57 | | `FEISHU_APP_SECRET_PATH` | No | Path to secret file (default: `~/.openclaw/secrets/feishu_app_secret`) | |
Access to .env file
| 14 | echo "FEISHU_APP_ID=cli_xxx" >> ~/.openclaw/workspace/.env |
External URL reference
| 23 | # https://open.larksuite.com → Your App → Event Subscriptions |
External URL reference
| 24 | # URL: http://YOUR_SERVER_IP:3000/webhook |
External URL reference
| 47 | - `*.larksuite.com` → `https://open.larksuite.com` (International) |
External URL reference
| 48 | - `*.feishu.cn` → `https://open.feishu.cn` (China) |
External URL reference
| 125 | node skills/feishu-doc/index.js fetch "https://xxx.larksuite.com/docx/TOKEN" |
External URL reference
| 143 | - Check webhook URL is accessible: `curl http://YOUR_IP:3000/health` |
External URL reference
| 169 | - [Lark Developer Console](https://open.larksuite.com/) (International) |
External URL reference
| 170 | - [Feishu Developer Console](https://open.feishu.cn/) (China) |
Install this skill with one command
/learn @openclaw/lark-integration