← Back to Skills Marketplace
100
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install schedule-sync-claw
Description
飞书日历智能协作 Skill。核心能力:(1) 智能约会——查询多人空闲时间、自动创建会议并发送邀请,(2) 日程同步——监听/查询日历变更并同步,(3) 会议背景预置——会前自动拉取相关飞书文档和会议纪要。激活场景:用户提到安排会议、约人开会、查空闲时间、日程协调、会议邀请、预置背景资料、会前准备、查日历、创建...
Usage Guidance
This skill mostly does what it says (Feishu calendar assistant) but there are important mismatches you should address before installing:
- The SKILL.md and scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (tenant credentials) and also expect curl and jq, but the registry metadata declares no env vars or required binaries. Ask the publisher to explicitly declare required env vars, scopes, and binaries.
- Understand which mode will run: plugin mode uses user OAuth (user_access_token) and can read user free/busy and personal calendars — this requires explicit user consent. The fallback script uses tenant credentials and can act as the application on app calendars (still sensitive). Only grant the minimum scopes needed.
- The skill references reading a local plugin SKILL.md under ~/.openclaw — verify and consent before allowing the agent to read files in your home directory. Clarify whether the agent will automatically read local config files and get explicit consent if it does.
- The script caches a tenant token in /tmp/feishu_token_cache. Confirm you are comfortable with this behavior (token lifetime, filesystem visibility) or request a different cache location/approach.
If you decide to proceed: require the publisher to update metadata to list FEISHU_APP_ID and FEISHU_APP_SECRET, and to list required binaries (curl, jq); review and test the code in a controlled environment; and ensure least-privilege OAuth scopes for both app and user flows.
Capability Analysis
Type: OpenClaw Skill
Name: schedule-sync-claw
Version: 1.0.0
The skill bundle contains a JSON injection vulnerability in `scripts/feishu-calendar.sh` where the `summary` parameter is interpolated directly into a JSON string without escaping. Additionally, the script uses `cat` to read from file paths provided as arguments, which could be exploited to read sensitive local files if the agent is manipulated into passing unauthorized paths. While the skill's functionality is aligned with its stated purpose of Feishu calendar management, these implementation flaws pose a risk of unauthorized data modification or information disclosure.
Capability Assessment
Purpose & Capability
The functionality described (query free/busy, create/update events, fetch related docs) matches the included references and script. Using either a native openclaw-lark Feishu plugin (user identity) or a fallback tenant-level API script is coherent for a calendar assistant. However, the skill metadata declares no required env vars or binaries while the SKILL.md and scripts clearly need FEISHU_APP_ID/FEISHU_APP_SECRET and CLI tools (curl, jq), so declared requirements do not match actual needs.
Instruction Scope
SKILL.md instructs the agent to prefer a local plugin tool if present and references a specific local path (~/.openclaw/extensions/openclaw-lark/skills/feishu-calendar/SKILL.md) — implying reading local user config. The fallback script also caches tokens to /tmp and performs network calls to Feishu APIs. The instructions do not ask for any broad unrelated data, but they do entail reading a user-home path and require user OAuth (user access tokens) for freebusy queries; the intent to read local plugin files is scope creep and should be explicit in metadata/consent.
Install Mechanism
No install spec (instruction-only) and the included bash script are low-risk relative to arbitrary downloads. However, the script expects curl and jq on PATH and will write a token cache to /tmp/feishu_token_cache. The package does not declare these binary dependencies, which is a packaging/documentation inconsistency.
Credentials
The runtime fallback clearly requires FEISHU_APP_ID and FEISHU_APP_SECRET (tenant credentials) and the plugin mode requires user OAuth (user_access_token). Yet the registry metadata lists no required env vars or primary credential. That omission hides that installing/running the script will require and handle sensitive credentials. Tenant credentials allow app-level calendar access; user tokens allow reading user free/busy and personal calendar data — both are sensitive and should be declared and limited.
Persistence & Privilege
always:false and no install spec means the skill does not request persistent privileged placement. The only on-disk persistence is the script's token cache in /tmp under its own filename. It does not alter other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install schedule-sync-claw - After installation, invoke the skill by name or use
/schedule-sync-claw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
首次发布:飞书日历智能协作 Skill,支持创建会议、查空闲、日程管理、邀请回复、会议背景预置,含插件模式 + API脚本双引擎
Metadata
Frequently Asked Questions
What is 日程协办虾?
飞书日历智能协作 Skill。核心能力:(1) 智能约会——查询多人空闲时间、自动创建会议并发送邀请,(2) 日程同步——监听/查询日历变更并同步,(3) 会议背景预置——会前自动拉取相关飞书文档和会议纪要。激活场景:用户提到安排会议、约人开会、查空闲时间、日程协调、会议邀请、预置背景资料、会前准备、查日历、创建... It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.
How do I install 日程协办虾?
Run "/install schedule-sync-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 日程协办虾 free?
Yes, 日程协办虾 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 日程协办虾 support?
日程协办虾 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 日程协办虾?
It is built and maintained by Ricky (@tujinsama); the current version is v1.0.0.
More Skills