← Back to Skills Marketplace
1. 🎨 画板图谱注入器 (
2. 🗄️ 多维表格数据执行器 (
3. 📜 高级排版转化引擎 (
669
Downloads
0
Stars
4
Active Installs
2
Versions
Install in OpenClaw
/install feishu-advanced-builder
Description
飞书高阶构建器。提供飞书基础原生工具之外的深度结构化能力,包括:原生画板(Mermaid/PlantUML)一键生成并嵌入、多维表格(Bitable)精准行列级数据操控、以及超复杂 Markdown 到飞书原生 Block 树的无损转化。适用于研发 DevOps 流转、架构图自动绘制及重度排版文档生成。
README (SKILL.md)
Feishu Advanced Builder (飞书高阶构建器)
超越普通纯文本记录,通过“构建器”思维实现飞书环境下的深度结构化数据写入与控制。它直接干预飞书底层的原子块(Block)与数据行记录,适用于汽车软件开发、架构师日常沉淀与复杂的 Auto-RCA 报告输出。
🎯 三大核心模块 (Core Capabilities)
1. 🎨 画板图谱注入器 (scripts/feishu-board.js)
使用场景: 故障树智能生成、架构时序设计、业务状态流转图。 将大模型生成的逻辑(如 Mermaid / PlantUML)自动变现为飞书原生的画板块(Block Type 43)。
- 一键创建子画板并嵌入文档
- 支持 Mermaid 流程图注入(
syntaxType: mermaid) - 支持 PlantUML 时序/类图/脑图注入(
syntaxType: plantuml)
2. 🗄️ 多维表格数据执行器 (scripts/feishu-bitable.js)
使用场景: Auto-RCA 自动化 Bug 指派、测试状态追踪看板。 它不是简单的读取整张表格,而是像操作 SQL 数据库一样精准干预具体的 Row(行级数据)。
- 在指定的 App ID / Table ID 下创建或更新特定数据条目。
- 支持写入带数据格式限定的字段:多选状态 (Status)、关联人员 (Persons)、日期筛选 (Dates) 等。
3. 📜 高级排版转化引擎 (scripts/feishu-markdown-to-docx.js)
使用场景: PRD/架构文档自动反编译及回写、长篇分析报告输出。 解决复杂的 Markdown 输出到飞书文档时排版崩坏或降级为纯文本的问题。
- 精准映射底层节点:将大模型的列表嵌套、复杂区块引用、代码高亮强制重编译为飞书原生的对应 Block 结构,保证最高级别的沉淀美观度。
🛠️ 安装与鉴权 (Setup)
前提:飞书应用必须拥有相关的多维表 (bitable:app)、文档 (docx:document) 和 画板 (board:whiteboard:node) 高级写入与读取权限。
FEISHU_APP_ID&FEISHU_APP_SECRET: 飞书应用的密钥凭证。
Note: 这是一个进阶开发者套件,执行前确保你清楚它的结构化数据定位。
Usage Guidance
Key points before you install/use this skill:
- Origin verification: The skill's Source/Homepage are unknown. Only install if you trust the publisher or can host/inspect the code yourself.
- Credentials: The scripts require FEISHU_APP_ID and FEISHU_APP_SECRET even though registry metadata didn't declare them — do not provide tenant-wide admin credentials unless you understand scope. Prefer creating an app with minimal write scopes and test in a non-production tenant.
- Dependency & runtime: The bundled Node scripts reference 'feishu-markdown' and rely on fetch being available. The skill provides no install instructions; you'll likely need to install npm packages manually. Review and vendor dependencies before running to avoid pulling malicious packages.
- Token leakage: The scripts log tokens and API responses to stdout. Ensure logs are not sent to external log aggregators or shared channels, or modify the code to avoid printing tokens.
- File access: The tools accept arbitrary local file paths (markdown, code). Only run them with files you intend to expose and avoid running them with elevated privileges or in directories containing secrets.
- Recommended actions: If you want to use this, fetch the repository, review the three scripts and their dependencies, run them in an isolated environment (ephemeral container) with a least-privilege Feishu app, and consider adding explicit documentation or an install script that pins dependencies and documents the exact env vars used (including FEISHU_BASE_URL). If you cannot validate the source, treat it as untrusted code and do not provide production credentials.
Capability Analysis
Type: OpenClaw Skill
Name: feishu-advanced-builder
Version: 1.0.1
The skill bundle is classified as suspicious due to a local file inclusion (LFI) vulnerability present in all three primary JavaScript scripts (`scripts/feishu-bitable.js`, `scripts/feishu-board.js`, `scripts/feishu-markdown-to-docx.js`). Each script uses `fs.readFileSync` to read content from a file path provided as a command-line argument (`--markdown-file` or `--code-file`). An attacker could exploit this by injecting a malicious file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) via prompt injection to the OpenClaw agent, leading to arbitrary file disclosure. While the scripts then attempt to process this content and send it to the Feishu API (the intended destination for the skill's output), the ability to read arbitrary local files constitutes a significant security vulnerability.
Capability Assessment
Purpose & Capability
The skill's name/description (Feishu board, bitable, markdown→doc) align with the included scripts which call Feishu APIs. However the registry metadata declares no required environment variables while both SKILL.md and all three scripts require FEISHU_APP_ID and FEISHU_APP_SECRET — a clear mismatch in what the package claims vs what it needs. The code also uses FEISHU_BASE_URL (override) and a third-party module 'feishu-markdown' that are not declared in metadata.
Instruction Scope
Runtime instructions and scripts stay within the stated purpose: they read user-provided local files (markdown or code files) and call Feishu Open API endpoints to create whiteboards, tables, and blocks. Things to note: the scripts print tokens and API responses to stdout (which could leak tenant_access_token or created resource tokens into logs), and they accept arbitrary --markdown-file / --code-file paths — so if the agent runs these without careful argument validation it could read local files the user didn't intend to expose. There are no hidden external endpoints in the bundled code; network calls target BASE_URL (default open.feishu.cn) but that base URL can be overridden via env.
Install Mechanism
There is no install spec (instruction-only), which reduces disk-write risk. However the package includes Node.js scripts that depend on external packages (notably 'feishu-markdown') and on global availability of fetch in the runtime. Those dependencies are not declared in the registry metadata or SKILL.md install instructions, which is an inconsistency: running the scripts will likely fail or require installing third-party packages from npm. The absence of an explicit, auditable install step increases the chance an operator will run ad-hoc commands to satisfy missing deps.
Credentials
Requesting FEISHU_APP_ID and FEISHU_APP_SECRET is proportionate for a Feishu integration. But the registry metadata advertised no required env vars while SKILL.md and all scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (and optionally FEISHU_BASE_URL). The skill also prints tokens to stdout (tenant_access_token and created resource tokens) which may expose secrets in logs; that behavior isn't documented as a caution. The declared primary credential is 'none' while the code clearly depends on app credentials — this mismatch is a red flag.
Persistence & Privilege
always:false and no indication the skill modifies other skills or system-wide agent settings. It does not request permanent presence or elevated platform privileges. Autonomous invocation is enabled by default but not combined with other alarming factors here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install feishu-advanced-builder - After installation, invoke the skill by name or use
/feishu-advanced-builder - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added _meta.json file to the project.
- No other changes to core functionality or documentation.
v1.0.0
Evolution: Comprehensive struct builder.
Metadata
Frequently Asked Questions
What is Feishu Advanced Builder?
飞书高阶构建器。提供飞书基础原生工具之外的深度结构化能力,包括:原生画板(Mermaid/PlantUML)一键生成并嵌入、多维表格(Bitable)精准行列级数据操控、以及超复杂 Markdown 到飞书原生 Block 树的无损转化。适用于研发 DevOps 流转、架构图自动绘制及重度排版文档生成。 It is an AI Agent Skill for Claude Code / OpenClaw, with 669 downloads so far.
How do I install Feishu Advanced Builder?
Run "/install feishu-advanced-builder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Feishu Advanced Builder free?
Yes, Feishu Advanced Builder is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Feishu Advanced Builder support?
Feishu Advanced Builder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Feishu Advanced Builder?
It is built and maintained by Robert Ma (@mydreamhorse); the current version is v1.0.1.
More Skills