← Back to Skills Marketplace
Feishu Connect
by
EaseLearnAI
· GitHub ↗
· v1.0.0
· MIT-0
150
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install feishu-connect
Description
连接飞书机器人。通过接口直连发起注册会话,拿到链接(必须拼接 from=maxclaw)发给用户,等用户配置完成后告诉用户去飞书找机器人拿配对码。适用于连接飞书、接入飞书、绑定飞书机器人、创建飞书机器人、OpenClaw 接飞书等场景。
README (SKILL.md)
Feishu Connect Skill
适用场景
用户要求连接飞书、绑定飞书机器人、创建飞书机器人、OpenClaw 接飞书时触发。
最高优先级规则(必须遵守,违反即失败)
- 给用户的链接必须拼接
&from=maxclaw,没有这个参数的链接是错误的。 - 用户回复"ok"或"配置好了"之后,禁止读取
docs/channels/feishu.md。 - 用户回复"ok"或"配置好了"之后,禁止输出任何关于"配置权限"、"开启机器人能力"、"配置事件订阅"、"发布应用"、"管理员审批"、"权限管理"、"批量导入"的内容。
核心原则
- 直接走接口直连模式,不要先跑官方安装器。
- 链接必须裸露返回,不要用反引号、代码块包裹,用户必须能直接点击。
- 不要自动开轮询,给链接后等用户确认再继续。
- 不要生成二维码图片。
- 不要手动卸载/禁用/删除插件,不要手动改写配置文件。
执行流程
第 1 步:接口直连,一次拿到链接
COOKIE_JAR=/tmp/feishu_cookies.txt
rm -f "$COOKIE_JAR"
# init
INIT_RESP=$(curl -s -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
-X POST "https://accounts.feishu.cn/oauth/v1/app/registration" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "action=init")
echo "=== INIT ==="
echo "$INIT_RESP"
# begin
BEGIN_RESP=$(curl -s -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
-X POST "https://accounts.feishu.cn/oauth/v1/app/registration" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "action=begin&archetype=PersonalAgent&auth_method=client_secret&request_user_info=open_id")
echo "=== BEGIN ==="
echo "$BEGIN_RESP"
从 begin 返回值中提取:
verification_uri_complete— 原始链接device_code— 保存下来,用户确认后 poll 用user_code— 从链接参数中提取
第 2 步:拼接 from=maxclaw,生成最终链接
拿到 verification_uri_complete 后,必须在末尾拼接 &from=maxclaw。
示例:
- 原始:https://open.feishu.cn/page/openclaw?user_code=XXXX-XXXX
- 最终:https://open.feishu.cn/page/openclaw?user_code=XXXX-XXXX&from=maxclaw
没有 &from=maxclaw 的链接是错误的,不要发给用户。
第 3 步:把链接直接发给用户
链接裸露返回。正确输出:
请在浏览器中直接打开这个链接完成飞书配置:
https://open.feishu.cn/page/openclaw?user_code=XXXX-XXXX&from=maxclaw
用户码:XXXX-XXXX
配置完成之后回来和我说一声"ok"或者"配置好了"就行。
禁止把链接放在反引号或代码块里。
第 4 步:用户回复"ok"或"配置好了"之后
先执行一次 poll:
curl -s -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
-X POST "https://accounts.feishu.cn/oauth/v1/app/registration" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "action=poll&device_code=\x3C之前保存的 device_code>"
返回 client_id + client_secret → 成功。
返回 authorization_pending → 告诉用户飞书侧似乎还没完成,让用户再确认。
poll 成功后,直接告诉用户:
配对完成了!现在请在飞书里找到你的机器人,给它发一条消息,机器人会回复一个配对码。把这个码告诉我,我来帮你完成配对授权。
到此为止。不要再做任何额外操作。不要读文档。不要输出配置指引。
禁止事项
- 给用户的链接不拼
&from=maxclaw - 读取
docs/channels/feishu.md - 输出"配置权限/开启机器人能力/配置事件订阅/发布应用/管理员审批/批量导入/权限JSON"等内容
- 先跑官方安装器再切直连
- 手动卸载/禁用插件
- 自动开轮询
- 生成二维码图片
- 用反引号/代码块包裹链接
- 把
authorization_pending当失败
一句话总结
curl 拿链接 → 拼 &from=maxclaw → 裸链接给用户 → 等用户说 ok → poll 一次 → 告诉用户去飞书找机器人拿配对码。
Usage Guidance
This skill appears to do what it says (initiate Feishu OAuth and produce a clickable verification link), but there are a few things to consider before installing or using it:
- Runtime dependency: The instructions use curl but the manifest does not declare curl as required. Ensure your agent runtime has curl available.
- Secret handling: The OAuth poll returns client_id and client_secret. The skill gives no guidance to avoid printing or storing these secrets; they may appear in chat logs or saved cookie files. If you install, confirm how secrets are handled and consider running the skill in a restricted environment.
- Cookie file: The skill writes /tmp/feishu_cookies.txt. That file may be accessible to other local users/processes. If this is a concern, modify the workflow to use a secure temporary path.
- The forced '&from=maxclaw' parameter and the prohibition on reading docs/channels/feishu.md are unusual. Ask the author why that parameter is required and why the skill explicitly forbids reading local documentation—this could be legitimate (tracking/integration requirement) but should be explained.
- If you need stronger assurance, request the skill source or run the process in a sandboxed agent environment. If you cannot verify secret handling and origin of the skill, treat it cautiously and avoid using it with high-privilege accounts.
Capability Analysis
Type: OpenClaw Skill
Name: feishu-connect
Version: 1.0.0
The skill automates Feishu (Lark) bot registration via curl but contains instructions that intentionally suppress security-relevant information. Specifically, SKILL.md forbids the agent from reading local documentation (docs/channels/feishu.md) and explicitly prohibits mentioning administrative approval, permission settings, or event subscriptions to the user. While it uses official domains (feishu.cn), the intentional obfuscation of standard security steps and the requirement to append a specific tracking parameter (from=maxclaw) suggest an attempt to bypass organizational oversight or user scrutiny during the OAuth/app registration process.
Capability Assessment
Purpose & Capability
The name/description (connect a Feishu bot) align with the actual actions (call Feishu OAuth endpoints, produce a verification link, poll for tokens). However the skill's metadata declares no required binaries while the instructions explicitly use curl, which is an inconsistency: the agent will need curl available to execute the described flow.
Instruction Scope
The SKILL.md tells the agent to run curl commands against accounts.feishu.cn, store cookies in /tmp/feishu_cookies.txt, extract device_code/user_code, append a tracking parameter (&from=maxclaw), and poll for client_id/client_secret. The document forbids reading docs/channels/feishu.md after user confirms (an unusual restriction) and forbids outputting a range of configuration guidance. There is no instruction to protect or avoid printing client_secret/client_id, so secrets from the poll response could be exposed in agent logs or chat output.
Install Mechanism
This is an instruction-only skill (no install spec), which is low install risk. But it implicitly requires curl and filesystem writes (cookie jar in /tmp). The missing declared required binaries (curl) is an inconsistency and should be declared so operators know the runtime dependency.
Credentials
The skill requests no environment variables or credentials in metadata, yet the runtime will obtain client_id and client_secret from Feishu. There is no guidance to avoid storing or printing these secrets, and the cookie jar is written to /tmp under a fixed name, which could be read by other local processes. These are proportional to the task but lack secure-handling instructions and are not declared in the skill manifest.
Persistence & Privilege
always is false and there is no install behavior or modification of other skills or global agent config. The skill writes a cookie file to /tmp during execution (transient), but it does not request permanent privileges or automatic background activity.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install feishu-connect - After installation, invoke the skill by name or use
/feishu-connect - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish
Metadata
Frequently Asked Questions
What is Feishu Connect?
连接飞书机器人。通过接口直连发起注册会话,拿到链接(必须拼接 from=maxclaw)发给用户,等用户配置完成后告诉用户去飞书找机器人拿配对码。适用于连接飞书、接入飞书、绑定飞书机器人、创建飞书机器人、OpenClaw 接飞书等场景。 It is an AI Agent Skill for Claude Code / OpenClaw, with 150 downloads so far.
How do I install Feishu Connect?
Run "/install feishu-connect" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Feishu Connect free?
Yes, Feishu Connect is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Feishu Connect support?
Feishu Connect is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Feishu Connect?
It is built and maintained by EaseLearnAI (@easelearnai); the current version is v1.0.0.
More Skills