← Back to Skills Marketplace
abigale-cyber

Content System Feishu Bitable Sync

by Abigale-cyber · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
81
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install content-system-feishu-bitable-sync
Description
Sync a local `wechat-report` result into Feishu Bitable after the user has reviewed the report and confirmed the sync.
README (SKILL.md)

feishu-bitable-sync

本 skill 不会自动触发,只有在用户明确确认“发送到飞书”后才运行。

支持输入:

  • content-production/inbox/YYYYMMDD-{slug}-wechat-report.md
  • content-production/inbox/raw/wechat-report/YYYY-MM-DD/{slug}.json

运行前需要配置环境变量:

  • FEISHU_APP_ID
  • FEISHU_APP_SECRET
  • FEISHU_BITABLE_APP_TOKEN
  • FEISHU_BITABLE_TABLE_ID
  • 可选:FEISHU_SYNC_AUTH_MODE,默认 user
  • 可选:FEISHU_OAUTH_REDIRECT_URI,默认 http://127.0.0.1:14578/callback

默认行为:

  • 优先读取本机缓存的飞书 user_access_token
  • 若还未授权,会落一份 auth_required 回执,并提示先运行 feishu-user-auth
  • 若 token 刷新失败或飞书写入失败,会额外导出 CSV 兜底文件

输出:

  • content-production/published/YYYYMMDD-{slug}-feishu-sync.md
  • 失败兜底时:content-production/published/YYYYMMDD-{slug}-feishu-import.csv

同步策略:

  • 每篇文章一行
  • 使用 source_url 去重
  • 重复同步会更新已有行,而不是重复新增
Usage Guidance
This skill appears to legitimately sync local wechat-report data to Feishu Bitable, but beware: (1) the package metadata wrongly omits required environment variables — you must set FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID before running; (2) the skill will follow a 'Raw JSON:<path>' line in the input markdown and may read that absolute path from disk — only run it on trusted input in an isolated workspace; (3) it uses and caches user/tenant tokens locally (protect those files); and (4) if you need higher assurance, review the feishu_auth helper module (not included here) and inspect runtime.py end-to-end. If any of these are unacceptable, do not install or run the skill until the metadata and documentation are corrected and you’ve audited token handling.
Capability Analysis
Type: OpenClaw Skill Name: content-system-feishu-bitable-sync Version: 1.0.0 The skill is designed to sync WeChat reports to Feishu Bitable as described. However, it contains a path traversal vulnerability in `runtime.py` within the `resolve_raw_payload_path` function, which extracts a file path from the input Markdown content using a regex and uses it (even if absolute) without validation. This could allow an attacker to trigger arbitrary file reads or overwrites if they can control the content of the input report. While the logic appears aligned with its stated purpose and lacks clear malicious intent, the lack of path sanitization is a significant security flaw.
Capability Assessment
Purpose & Capability
The code and SKILL.md match the stated purpose (reading local wechat-report JSON/MD and writing rows to Feishu Bitable). The required Feishu credentials (app id/secret, app token, table id) are appropriate for this integration. HOWEVER the registry metadata supplied with the skill declares no required environment variables or primary credential, which is inconsistent with the runtime and SKILL.md.
Instruction Scope
The runtime follows the documented flow: read the provided input file (markdown or JSON), optionally resolve a Raw JSON path referenced inside the markdown, obtain tenant/user tokens, and upsert records into Feishu. One noteworthy behavior: resolve_raw_payload_path will accept an absolute path parsed from the markdown and read it. That means a malicious or mistaken markdown input could cause the skill to read arbitrary local files referenced by the Raw JSON line. The skill also reads/writes token cache files and outputs under content-production/published as described — these are within the stated scope but should be noted.
Install Mechanism
This is instruction + runtime code only; there is no install spec that downloads arbitrary artifacts. No network install URLs or package downloads are present in the bundle, so install risk is low.
Credentials
The runtime (and SKILL.md/README) require FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID, which are proportionate for Feishu Bitale access. The concern is that the skill's registry metadata lists 'Required env vars: none' and 'Primary credential: none', which is incorrect and misleading — users may install without realizing they must provide sensitive app secrets. The runtime also uses cached user tokens (token cache files) which may contain sensitive tokens and should be stored/handled securely.
Persistence & Privilege
Flags show always=false and the skill does not request persistent platform privileges. It writes only to its own outputs (published CSV/MD) and token cache; there is no evidence it alters other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install content-system-feishu-bitable-sync
  3. After installation, invoke the skill by name or use /content-system-feishu-bitable-sync
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of feishu-bitable-sync. - Allows users to sync reviewed local `wechat-report` results to Feishu Bitable with explicit confirmation. - Supports both Markdown and JSON wechat report formats as input. - Requires Feishu-related environment variables for setup. - Handles user auth: requests manual authorization if needed and caches user tokens. - Failed sync attempts trigger CSV fallback export. - Ensures idempotent sync by de-duplicating via `source_url` and updating existing rows.
Metadata
Slug content-system-feishu-bitable-sync
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Content System Feishu Bitable Sync?

Sync a local `wechat-report` result into Feishu Bitable after the user has reviewed the report and confirmed the sync. It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.

How do I install Content System Feishu Bitable Sync?

Run "/install content-system-feishu-bitable-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Content System Feishu Bitable Sync free?

Yes, Content System Feishu Bitable Sync is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Content System Feishu Bitable Sync support?

Content System Feishu Bitable Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Content System Feishu Bitable Sync?

It is built and maintained by Abigale-cyber (@abigale-cyber); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments