← Back to Skills Marketplace
490
Downloads
0
Stars
9
Active Installs
1
Versions
Install in OpenClaw
/install official-feishu-toolkit
Description
飞书开放平台全面集成工具包。支持日历与会议室预约、消息发送、审批流程、多维表格操作、通讯录查询和考勤管理六大核心办公模块。
Usage Guidance
What to check before installing:
- Do NOT run curl https://backend.clawd.org.cn/... | sh without review. That command downloads and executes an external script from an unknown host—inspect the script contents and verify its source first.
- Verify the 'uv' brew formula: confirm which tap provides it and inspect the formula contents. 'uv' is not a common system dependency for Python/uvicorn, so confirm it's legitimate for your environment.
- The skill will get FEISHU_APP_ID and FEISHU_APP_SECRET; those credentials let the app obtain tenant_access_token and perform all API actions listed (send messages, read contacts, manage approvals, attendance, bitable, calendar). Only grant the minimum permissions needed in the Feishu developer console and consider using a dedicated test app/tenant first.
- If you want lower risk, install from the included source files directly: create a Python virtualenv, pip install the package dependencies from pyproject.toml, set env vars locally, and run uvicorn pointing at feishu_toolkit.main — avoid opaque install scripts.
- If the publisher can provide an official homepage or signed release (or if the install script is hosted on a well-known, verifiable domain such as a GitHub release), that would reduce supply-chain concern; ask the publisher for those artifacts. If you cannot verify the install sources, treat this skill as higher risk.
Capability Analysis
Type: OpenClaw Skill
Name: official-feishu-toolkit
Version: 1.0.0
The skill's core functionality and runtime code appear benign, providing a comprehensive toolkit for Feishu API integration (calendar, messaging, approval, etc.). All external API calls are directed to the official Feishu domain. However, the installation instructions in `SKILL.md` and `README.md` recommend executing a remote script via `curl -sL "https://backend.clawd.org.cn/api/skills/official%2Ffeishu-toolkit/install.sh" | sh`. While `clawd.org.cn` is presumed to be the official OpenClaw backend, this `curl | sh` pattern represents a significant Remote Code Execution (RCE) vulnerability, as it executes arbitrary code downloaded from a remote server without prior inspection. This is a high-risk installation method, classifying the skill as suspicious due to this inherent vulnerability, even without evidence of malicious intent in the skill's own code or explicit prompt injection.
Capability Assessment
Purpose & Capability
Name/description (Feishu toolkit) match the code and declared env vars: the server implements calendar, messaging, approval, bitable, contacts and attendance APIs and only requires FEISHU_APP_ID / FEISHU_APP_SECRET. The required binary 'uv' is odd but is used in the README/SKILL.md to run virtualenv/pip/uvicorn; it's not fundamentally incompatible with the stated purpose.
Instruction Scope
Runtime instructions are scoped to running a local FastAPI service and configuring FEISHU credentials; the code reads only FEISHU_APP_ID, FEISHU_APP_SECRET and optional FEISHU_APPROVAL_CODES. No instructions request unrelated host files or extra credentials. However the README/SKILL.md provides an alternative installation command that pipes a remote install.sh from https://backend.clawd.org.cn | sh — that downloads+executes an external script outside the package, which expands the runtime scope and risk.
Install Mechanism
Registry metadata lists a brew formula 'uv' (creates binary 'uv'), and SKILL.md suggests using a curl | sh installer hosted at backend.clawd.org.cn. Both raise supply-chain risk: 'uv' is an uncommon binary name (not the usual 'python'/'uvicorn') and the external install.sh URL is a direct download-and-execute from an unknown host. The install mechanisms are inconsistent (brew vs curl) and should be inspected before running.
Credentials
Requested environment variables are FEISHU_APP_ID and FEISHU_APP_SECRET (primaryEnv FEISHU_APP_ID) and an optional FEISHU_APPROVAL_CODES. These are appropriate and proportionate for a Feishu integration; the code uses them to obtain tenant_access_token and call open.feishu.cn APIs. No unrelated secrets or extra service credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide configs. It runs as a user service (FastAPI) and uses standard token caching; autonomous invocation is enabled by default but not combined with other escalating privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install official-feishu-toolkit - After installation, invoke the skill by name or use
/official-feishu-toolkit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Feishu Toolkit v1.0.1
- 新增 SKILL.md,提供全面的安装、配置及功能说明文档
- 详细列出支持的六大办公模块:日历、消息、审批、多维表格、通讯录、考勤
- 明确环境变量、所需权限及安装方式,便于用户快速集成与使用
- 补充各模块示例指令和常见问题说明
- 提供相关官方资源和详细文档链接
Metadata
Frequently Asked Questions
What is Official Feishu Toolkit?
飞书开放平台全面集成工具包。支持日历与会议室预约、消息发送、审批流程、多维表格操作、通讯录查询和考勤管理六大核心办公模块。 It is an AI Agent Skill for Claude Code / OpenClaw, with 490 downloads so far.
How do I install Official Feishu Toolkit?
Run "/install official-feishu-toolkit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Official Feishu Toolkit free?
Yes, Official Feishu Toolkit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Official Feishu Toolkit support?
Official Feishu Toolkit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Official Feishu Toolkit?
It is built and maintained by Radium (@radium0028); the current version is v1.0.0.
More Skills