Safety Report

Lark / Feishu Skill via OpenAPI MCP servers (300+ tools)

Name: Lark / Feishu Skill via OpenAPI MCP servers (300+ tools)
Rating: 3 (1 reviews)
Author: al-one

Based on FeiShu(飞书) / Lark's OpenAPI MCP server, manage user information, chats, emails, cloud documents, multidimensional tables, tasks, calendars, etc.

113Downloads

1Installs

1Stars

1Versions

API Integration11,971 PDF & Documents3,686 Customer Support3,665 Project Management3,041

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's declared requirements (mcporter / npx and a LARK_MCP_SERVERS value) match its Lark / Feishu MCP purpose, but it relies on an external npm tool (mcporter) that runs code you can't inspect here and instructs the agent to write sensitive tokens into a workspace .env — a combination that raises reasonable caution.

Mar 6, 20262 files3 concerns

Purpose & Capabilityok

Name/description, required env var LARK_MCP_SERVERS, and the use of mcporter/npx are consistent with calling Lark/Feishu MCP servers and enumerating/using MCP tools. Nothing required appears unrelated to the stated functionality.

Instruction Scopenote

SKILL.md instructs the agent to read a workspace .env (then system env) and, if missing, prompt the user and update the .env file with MCP server URLs/tokens. It also runs npx -y mcporter to list/call MCP tools. These steps are within scope for configuring and using MCP but grant the skill the ability to read and write workspace secrets and execute an external package at runtime.

Install Mechanismconcern

Install spec uses the npm package 'mcporter' (node kind) and recommends executing via 'npx -y mcporter'. Installing or invoking an npm package executes third-party code from the registry; this is a normal mechanism but carries moderate risk because the package's code is not included here and could perform unexpected actions.

Credentialsnote

The single required env var (LARK_MCP_SERVERS) is appropriate for the skill's purpose, but the workflow encourages persisting MCP tokens/URLs in a workspace .env file. Storing sensitive credentials in repository/workspace files increases exposure and should be judged carefully.

Persistence & Privilegeok

The skill does not request always:true and does not declare system-wide privileges. The only persistence behavior in the instructions is writing/updating a workspace .env file, which is plausible for configuration but should be treated as sensitive.

Guidance

This skill is coherent with its Lark/Feishu MCP purpose, but proceed cautiously. Before installing or running it: 1) Verify the reputation and source of the 'mcporter' npm package (review its npm/github code, maintainer, and recent changes). 2) Prefer invoking mcporter via npx in a disposable or sandboxed environment first so you don't install unknown packages system-wide. 3) Avoid committing sensitive MCP tokens into repository .env files — use a secrets manager or local-only env, and consider using a limited-scope test token. 4) If you need stronger assurance, ask the publisher for the mcporter source and a threat model (what the package will read/write/network to). If you can't validate the package, treat the skill as potentially risky and limit its access (run in isolated workspace or container).

Latest Release

v1.0.0

Initial release of mcp-lark: Lark/FeiShu OpenAPI MCP server skill - Manage user information, chats, emails, documents, tables, tasks, and calendars via Lark/FeiShu's MCP server. - Guides on configuring MCP service URLs using environment variables in `.env`. - Provides command examples for listing and calling available tools with `npx -y mcporter`. - Includes references and best practices for compatibility.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @al-one on ClawHub