← Back to Skills Marketplace

my-lark

Name: my-lark
Author: longsasasasasa

by LONGSASASASASA · GitHub ↗ · v3.0.0 · MIT-0

cross-platform ⚠ suspicious

111

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install my-lark

Description

飞书全能力技能。基于飞书官方工具服务，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。面向小白：安装即用，每一步都有操作指引；面向AI：每个接口均有调用示例、参数说明、权限要求和异常处理。触发词：发消息、搜索文档、查日历、查审批、建日程、拉群列表等。

Usage Guidance

Do not install or run this skill in a production or sensitive account until the credential issue is resolved. Key points to consider before proceeding: - The shipped Python code contains a hardcoded App ID and App Secret: that means some API calls will be made under those embedded credentials (likely belonging to the skill author), not under your app. This can give the author/control-plane visibility or control over actions and is a privacy/security risk. - Ask the maintainer to remove hardcoded credentials and to use only the token file you provide, or replace the values in the code with your own app_id/app_secret before use. Prefer a version that reads credentials only from the documented token file. - Resolve the path inconsistencies (the docs alternate between /workspace/.lark_tokens.json and ~/.lark_tokens.json and reference differing script locations) so you know exactly which file is used. - Review or audit the lark-mcp npm package before installing it globally, and consider running the skill in an isolated environment (separate account or sandbox) first. - If you already used this skill with sensitive tokens, rotate those credentials (app_secret / tokens) to be safe.

Capability Analysis

Type: OpenClaw Skill Name: my-lark Version: 3.0.0 The skill bundle contains hardcoded Feishu (Lark) credentials (APP_ID and APP_SECRET) in the 'lark_mcp.py' script, which directly contradicts the explicit claim in 'SKILL.md' that the skill contains no credentials. This discrepancy is a significant security risk. Furthermore, the documentation includes a 'one-click check' command that prints the contents of the sensitive '/workspace/.lark_tokens.json' file to the console, exposing user tokens to the AI agent's execution context. While the script interacts with the legitimate 'open.feishu.cn' domain, the presence of hardcoded secrets and the misleading documentation suggest either severe negligence or a potential attempt to facilitate unauthorized access if a user inadvertently grants permissions to the hardcoded application ID (cli_a9c97317ef78dbc6).

Capability Assessment

⚠ Purpose & Capability

The skill is a Feishu/Lark integration and legitimately needs app/user credentials and the lark-mcp CLI. However SKILL.md repeatedly states "技能本身不含任何凭证" and instructs users to store credentials in /workspace/.lark_tokens.json, while lark_mcp.py contains hardcoded APP_ID and APP_SECRET values. That contradicts the stated claim and means the skill will perform some actions under the embedded credentials rather than the user's.

⚠ Instruction Scope

Instructions reference several different token paths (primary instructions use /workspace/.lark_tokens.json but some reference files under ~/.lark_tokens.json and different file locations for the script). The provided runtime commands point at /workspace/skills/lark-skill/lark_mcp.py while the script header and manifest suggest different paths. The code will read /workspace/.lark_tokens.json for user token use but will ignore it for App Token calls because APP_ID/APP_SECRET are hardcoded.

✓ Install Mechanism

No install spec in the bundle; SKILL.md suggests installing @larksuite/lark-mcp via npm (a normal public package). There is no download-from-arbitrary-URL or archive extraction in the manifest.

⚠ Credentials

The skill requests no environment variables, but the code includes hardcoded credentials (APP_ID and APP_SECRET) inside lark_mcp.py. This is disproportionate to the stated promise that the skill contains no credentials and means actions may occur under the author's/maintainer's app identity rather than the user's — a potential for unwanted access or data exposure.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide persistence or modify other skills. It performs network calls to Feishu and runs a local CLI subprocess, which is expected for this functionality.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install my-lark
After installation, invoke the skill by name or use /my-lark
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.0.0

my-lark 3.0.0 - 全面升级为飞书全能力技能，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。 - 针对小白用户提供逐步操作指引，一键检查及详尽安装说明。 - 每个接口均含调用示例、参数说明、权限要求和异常处理，适合 AI 自动化集成。 - 支持便捷命令及底层 API 任意调用，覆盖常用业务场景。 - 新增标准凭证统一管理，便于多接口协同调用。 - 更新/细化功能场景列表、依赖检测、权限配置与完整调用流程。

Metadata

Slug my-lark

Version 3.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is my-lark?

飞书全能力技能。基于飞书官方工具服务，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。面向小白：安装即用，每一步都有操作指引；面向AI：每个接口均有调用示例、参数说明、权限要求和异常处理。触发词：发消息、搜索文档、查日历、查审批、建日程、拉群列表等。 It is an AI Agent Skill for Claude Code / OpenClaw, with 111 downloads so far.

How do I install my-lark?

Run "/install my-lark" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is my-lark free?

Yes, my-lark is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does my-lark support?

my-lark is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created my-lark?

It is built and maintained by LONGSASASASASA (@longsasasasasa); the current version is v3.0.0.

More Skills