Security

This document provides security usage recommendations for the Feishu plugin.

⚠️ Core Risk Warning

Important: This plugin connects to your work data (messages, documents, calendar, contacts) via Feishu APIs. What AI can read theoretically has a risk of leakage.

Security Recommendations

1. Prefer Personal Accounts

For now, prefer using personal Feishu accounts for testing and evaluation
Avoid connecting to sensitive data with company accounts
Expand usage scope after evaluation

2. Be Cautious in Group Chats

Recommendation: Avoid using in group chats to reduce data leakage risk
AI may read information it shouldn't in group chats
If needed in group chats, be sure to configure groupPolicy

3. Human Review for Important Operations

For important operations like sending, modifying, writing data
Be sure to "preview first, then confirm"
Never let AI operate in fully autonomous mode

4. Understand Permission Boundaries

User Authorization: Bot permissions are equivalent to user permissions
Application Authorization: Bot permissions are determined by app configuration
Periodically review and clean up unnecessary permissions

Operational Risks

AI Hallucination

AI may misunderstand your intent
May generate content that looks reasonable but is inaccurate
Verify important information

Irreversible Operations

Messages sent by AI on your behalf are sent in your name and cannot be recalled
Deleted documents cannot be recovered
Be cautious with delete operations

Principle of Least Privilege

App Permissions

Only enable necessary API permissions
Periodically review enabled permissions
Timely disable permissions no longer needed

Group Configuration

json

{
  "channels": {
    "feishu": {
      "groups": {
        "oc_xxxxx": {
          "groupPolicy": "allowlist",
          "requireMention": true,
          "tools": {
            "deny": ["feishu_drive_file"]
          }
        }
      }
    }
  }
}

Confirmation for Sensitive Operations

For the following operations, the plugin will require user confirmation:

Delete documents
Delete bitables
Batch messages
Batch operations

Audit and Monitoring

View Logs

Use diagnostic command to check plugin status:

bash

openclaw feishu-diagnose

Audit Recommendations

Regularly check message history
Pay attention to abnormal access behavior
Keep logs of important operations

Disclaimer

This software is released under the MIT License. When running, it calls Feishu Open Platform APIs, requiring compliance with:

Feishu Privacy Policy
Feishu User Terms of Service
Enterprise internal data security regulations

Next Steps

Tool Reference - Learn all available tools
Getting Started - Return to installation guide

Security ​

⚠️ Core Risk Warning ​

Security Recommendations ​

1. Prefer Personal Accounts ​

2. Be Cautious in Group Chats ​

3. Human Review for Important Operations ​

4. Understand Permission Boundaries ​

Operational Risks ​

AI Hallucination ​

Irreversible Operations ​

Principle of Least Privilege ​

App Permissions ​

Group Configuration ​

Confirmation for Sensitive Operations ​

Audit and Monitoring ​

View Logs ​

Audit Recommendations ​

Disclaimer ​

Next Steps ​