← Back to Skills Marketplace
Lark Toolkit
by
Pengxiao-Wang
· GitHub ↗
· v1.0.0
1072
Downloads
0
Stars
4
Active Installs
3
Versions
Install in OpenClaw
/install lark-toolkit
Description
Comprehensive Lark/Feishu API skill for OpenClaw agents. Covers all Lark operations via three access paths: claw-lark plugin (message tool), MCP tools (mcpor...
README (SKILL.md)
Lark Toolkit
Prerequisites & Security
This skill is a documentation-only reference guide. It contains no executable code that accesses credentials automatically.
Required credentials (user-provided, never bundled):
- Lark App ID (
app_id) — from Lark Developer Console - Lark App Secret (
app_secret) — from the same console
How credentials are used:
- All API examples in SKILL.md use placeholders (
\x3CAPP_ID>,\x3CAPP_SECRET>,CHAT_ID, etc.) — no real secrets - The
scripts/get_token.shhelper obtains a temporarytenant_access_tokenfrom Lark's auth API. It reads credentials from (in order):- Command-line arguments
LARK_APP_ID/LARK_APP_SECRETenvironment variables~/.openclaw/openclaw.json(standard OpenClaw config, pathchannels.lark.accounts.default.appId/appSecret)
- The script prints the config source to stderr when falling back to the config file
- No credentials are hardcoded, cached to disk, logged, or transmitted beyond the single Lark auth API call
- The token is exported as
LARK_TOKENenv var for subsequent commands in the same shell session
Three Access Paths
| Need | Path | When |
|---|---|---|
| Send/receive messages | claw-lark plugin (message tool) | Basic text, media, reactions — simplest |
| Structured CRUD ops | MCP tools via mcporter | Bitable, calendar, docs, tasks, OKR — 38 tools |
| Everything else | Direct API (curl) | Contacts, member mgmt, anything MCP doesn't cover |
Rule: claw-lark first → MCP second → direct API as fallback.
Authentication (Direct API)
TOKEN=$(curl -s -X POST 'https://open.larksuite.com/open-apis/auth/v3/tenant_access_token/internal' \
-H 'Content-Type: application/json' \
-d '{"app_id":"\x3CAPP_ID>","app_secret":"\x3CAPP_SECRET>"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['tenant_access_token'])")
Or use the helper: bash scripts/get_token.sh
Token validity: ~2 hours. Cache it.
API Base URLs
| Platform | API Base | Dev Console |
|---|---|---|
| Lark International | https://open.larksuite.com/open-apis/ |
https://open.larksuite.com/app |
| Feishu (China) | https://open.feishu.cn/open-apis/ |
https://open.feishu.cn/app |
⚠️ Lark ≠ Feishu. Always confirm which platform the tenant uses.
Common API Patterns
Send a Message
curl -X POST "https://open.larksuite.com/open-apis/im/v1/messages?receive_id_type=chat_id" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"receive_id":"CHAT_ID","msg_type":"text","content":"{\"text\":\"hello\"}"}'
Reply in Thread
curl -X POST "https://open.larksuite.com/open-apis/im/v1/messages/MSG_ID/reply" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"msg_type":"text","content":"{\"text\":\"reply\"}","reply_in_thread":true}'
Add Reaction
curl -X POST "https://open.larksuite.com/open-apis/im/v1/messages/MSG_ID/reactions" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"reaction_type":{"emoji_type":"THUMBSUP"}}'
Emoji types: THUMBSUP HEART LAUGH OK COOL FINGERHEART SMILE JIAYOU
List Department Users (MCP gap — direct API only)
# List root departments
curl -s -H "Authorization: Bearer $TOKEN" \
'https://open.larksuite.com/open-apis/contact/v3/departments?parent_department_id=0&page_size=50&fetch_child=true'
# List users in a department
curl -s -H "Authorization: Bearer $TOKEN" \
'https://open.larksuite.com/open-apis/contact/v3/users?department_id=\x3CDEPT_ID>&page_size=50'
Key fields: name, open_id, employee_type (1=regular, 2=intern), department_ids
Read Chat History
curl -s -H "Authorization: Bearer $TOKEN" \
'https://open.larksuite.com/open-apis/im/v1/messages?container_id_type=chat&container_id=\x3CCHAT_ID>&page_size=20&sort_type=ByCreateTimeDesc'
Add Bot to Group
curl -X POST "https://open.larksuite.com/open-apis/im/v1/chats/\x3CCHAT_ID>/members?member_id_type=app_id" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"id_list":["\x3CBOT_APP_ID>"]}'
MCP Tools (38 available)
mcporter call lark-mcp.\x3Ctool_name> key=value
Full catalog with parameters: references/mcp-tools.md
MCP Coverage
| Module | Key Tools |
|---|---|
| Bitable | create apps/tables, CRUD records, list fields |
| Calendar | create/get/patch events, free/busy, primary calendar |
| Docs | read content, search, import, set permissions |
| IM | create/list groups, get members, send messages, list history |
| OKR | batch get, list periods, CRUD progress, query reviews |
| Report | query rules/tasks, manage views |
| Task | create/patch tasks, add members/reminders |
| Wiki | search nodes, get node details |
| Contacts | batch get user IDs by email/phone |
MCP Gaps (use direct API)
- List users by department —
GET /contact/v3/users?department_id= - List departments —
GET /contact/v3/departments - Add/remove group members —
POST /im/v1/chats/{chat_id}/members - Send reactions —
POST /im/v1/messages/{msg_id}/reactions - Upload images/files —
POST /im/v1/images/POST /im/v1/files
Pagination
Most list APIs use cursor-based pagination:
?page_size=50&page_token=\x3Ctoken_from_previous_response>
Check has_more in response.
Error Handling
| Code | Meaning |
|---|---|
| 0 | Success |
| 99991663 | Token expired — refresh |
| 99991664 | Token invalid |
| 99991400 | Bad request |
| 99991403 | No permission — check app permissions |
Critical Pitfalls
- Lark ≠ Feishu — International uses
open.larksuite.com, China usesopen.feishu.cn - open_id is per-app — Same user has different open_id across different Lark apps
- Webhook 5s timeout — Return 200 immediately, process async
- Event dedup — Use
event_id(Lark retries up to 3x) - Bot-to-bot blind spot — Lark does NOT push Bot A's messages to Bot B's webhook
- Publishing required — Permission/event changes only take effect after publishing a new app version
- ngrok IPv6 trap — Use
127.0.0.1:PORTnotlocalhost:PORTin ngrok config - ngrok free domain — Returns interstitial HTML that Lark rejects. Use paid domain.
Detailed References
- Bot setup playbook: references/bot-setup.md
- API reference: references/api-reference.md
- MCP tools catalog: references/mcp-tools.md
- Webhook & tunnel: references/webhook-setup.md
- Troubleshooting: references/troubleshooting.md
- Permissions: references/permissions.md
Usage Guidance
This skill is primarily documentation and examples for Lark/Feishu plus a small helper script to fetch tenant_access_token. Before using: (1) review scripts/get_token.sh — it will read LARK_APP_ID/LARK_APP_SECRET env vars or fallback to ~/.openclaw/openclaw.json and will export LARK_TOKEN in your shell; don't 'source' it blindly if you don't want it to read local config. (2) Prefer invoking the script with explicit app_id/app_secret arguments or set env vars rather than relying on the config-file fallback. (3) Ensure ~/.openclaw/openclaw.json is accessible only to trusted users (it may contain credentials for your OpenClaw channels). (4) The docs assume standard CLI tools (curl, python3, lsof, kill); run commands manually in a safe environment if you are unsure. (5) Verify whether your tenant uses open.larksuite.com or open.feishu.cn before making calls. Overall the package appears coherent with its stated purpose; no disproportionate credential or install demands were found.
Capability Analysis
Type: OpenClaw Skill
Name: lark-toolkit
Version: 1.0.0
The skill bundle provides a comprehensive toolkit for Lark/Feishu API integration. The `SKILL.md` clearly states it's a documentation-only reference and does not automatically access credentials. The `scripts/get_token.sh` is the only executable file, and it transparently fetches a `tenant_access_token` from the legitimate Lark authentication API using credentials provided via command-line, environment variables, or the standard `~/.openclaw/openclaw.json` config. It does not log, store, or exfiltrate credentials beyond the single API call. All `curl` examples in the documentation use placeholders or the `$TOKEN` variable and show no signs of malicious execution or unauthorized data exfiltration. There are no prompt injection attempts or obfuscation found.
Capability Assessment
Purpose & Capability
Name and description match the provided files: comprehensive Lark/Feishu docs, MCP tool catalog, and curl examples. The included helper script (get_token.sh) and references to claw-lark/MCP/direct API are appropriate for a Lark API toolkit.
Instruction Scope
SKILL.md is largely documentation and examples of curl/mcporter usage. One inconsistency: the top-level README says "documentation-only" and "no executable code that accesses credentials automatically," but the repository contains scripts/get_token.sh which will read env vars and (as a fallback) ~/.openclaw/openclaw.json and perform a network call to fetch a tenant_access_token. That helper behavior is expected for this purpose but is a functional script (not pure prose). The instructions reference shell utilities (curl, python3, lsof, kill) for troubleshooting — expected for webhook/debug guidance but assume standard CLI tools are present.
Install Mechanism
No install spec is present; this is instruction-only plus a small helper script. Nothing is downloaded or installed by the skill itself, so there is no install-time code-pull risk.
Credentials
The skill does not declare required env vars in registry metadata, but the documentation and get_token.sh legitimately require LARK_APP_ID and LARK_APP_SECRET (and will optionally use OPENCLAW_CONFIG or ~/.openclaw/openclaw.json). These credentials are proportional and necessary for Lark API calls. Minor caution: the helper prints the config file path when it falls back to the config file and will export LARK_TOKEN into the shell session; users should be aware of this behavior.
Persistence & Privilege
always:false and no install hooks; the skill does not request permanent system presence or modify other skills. Autonomous invocation by the model is allowed (platform default) but not elevated beyond normal skill behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install lark-toolkit - After installation, invoke the skill by name or use
/lark-toolkit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: comprehensive Lark/Feishu API skill covering claw-lark plugin, MCP tools, and direct Open API paths
v1.2.0
Security transparency: explicit Prerequisites section declaring credential sources. Fixes ClawHub security flag.
v1.1.0
Comprehensive Lark/Feishu toolkit: auth, messaging, contacts, MCP tools catalog, bot setup, webhook, troubleshooting. 6 reference docs included.
Metadata
Frequently Asked Questions
What is Lark Toolkit?
Comprehensive Lark/Feishu API skill for OpenClaw agents. Covers all Lark operations via three access paths: claw-lark plugin (message tool), MCP tools (mcpor... It is an AI Agent Skill for Claude Code / OpenClaw, with 1072 downloads so far.
How do I install Lark Toolkit?
Run "/install lark-toolkit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Lark Toolkit free?
Yes, Lark Toolkit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Lark Toolkit support?
Lark Toolkit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Lark Toolkit?
It is built and maintained by Pengxiao-Wang (@pengxiao-wang); the current version is v1.0.0.
More Skills