← 返回 Skills 市场
Content System Feishu Bitable Sync
作者
Abigale-cyber
· GitHub ↗
· v1.0.0
· MIT-0
81
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install content-system-feishu-bitable-sync
功能描述
Sync a local `wechat-report` result into Feishu Bitable after the user has reviewed the report and confirmed the sync.
使用说明 (SKILL.md)
feishu-bitable-sync
本 skill 不会自动触发,只有在用户明确确认“发送到飞书”后才运行。
支持输入:
content-production/inbox/YYYYMMDD-{slug}-wechat-report.mdcontent-production/inbox/raw/wechat-report/YYYY-MM-DD/{slug}.json
运行前需要配置环境变量:
FEISHU_APP_IDFEISHU_APP_SECRETFEISHU_BITABLE_APP_TOKENFEISHU_BITABLE_TABLE_ID- 可选:
FEISHU_SYNC_AUTH_MODE,默认user - 可选:
FEISHU_OAUTH_REDIRECT_URI,默认http://127.0.0.1:14578/callback
默认行为:
- 优先读取本机缓存的飞书
user_access_token - 若还未授权,会落一份
auth_required回执,并提示先运行feishu-user-auth - 若 token 刷新失败或飞书写入失败,会额外导出 CSV 兜底文件
输出:
content-production/published/YYYYMMDD-{slug}-feishu-sync.md- 失败兜底时:
content-production/published/YYYYMMDD-{slug}-feishu-import.csv
同步策略:
- 每篇文章一行
- 使用
source_url去重 - 重复同步会更新已有行,而不是重复新增
安全使用建议
This skill appears to legitimately sync local wechat-report data to Feishu Bitable, but beware: (1) the package metadata wrongly omits required environment variables — you must set FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID before running; (2) the skill will follow a 'Raw JSON:<path>' line in the input markdown and may read that absolute path from disk — only run it on trusted input in an isolated workspace; (3) it uses and caches user/tenant tokens locally (protect those files); and (4) if you need higher assurance, review the feishu_auth helper module (not included here) and inspect runtime.py end-to-end. If any of these are unacceptable, do not install or run the skill until the metadata and documentation are corrected and you’ve audited token handling.
功能分析
Type: OpenClaw Skill
Name: content-system-feishu-bitable-sync
Version: 1.0.0
The skill is designed to sync WeChat reports to Feishu Bitable as described. However, it contains a path traversal vulnerability in `runtime.py` within the `resolve_raw_payload_path` function, which extracts a file path from the input Markdown content using a regex and uses it (even if absolute) without validation. This could allow an attacker to trigger arbitrary file reads or overwrites if they can control the content of the input report. While the logic appears aligned with its stated purpose and lacks clear malicious intent, the lack of path sanitization is a significant security flaw.
能力评估
Purpose & Capability
The code and SKILL.md match the stated purpose (reading local wechat-report JSON/MD and writing rows to Feishu Bitable). The required Feishu credentials (app id/secret, app token, table id) are appropriate for this integration. HOWEVER the registry metadata supplied with the skill declares no required environment variables or primary credential, which is inconsistent with the runtime and SKILL.md.
Instruction Scope
The runtime follows the documented flow: read the provided input file (markdown or JSON), optionally resolve a Raw JSON path referenced inside the markdown, obtain tenant/user tokens, and upsert records into Feishu. One noteworthy behavior: resolve_raw_payload_path will accept an absolute path parsed from the markdown and read it. That means a malicious or mistaken markdown input could cause the skill to read arbitrary local files referenced by the Raw JSON line. The skill also reads/writes token cache files and outputs under content-production/published as described — these are within the stated scope but should be noted.
Install Mechanism
This is instruction + runtime code only; there is no install spec that downloads arbitrary artifacts. No network install URLs or package downloads are present in the bundle, so install risk is low.
Credentials
The runtime (and SKILL.md/README) require FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_APP_TOKEN, and FEISHU_BITABLE_TABLE_ID, which are proportionate for Feishu Bitale access. The concern is that the skill's registry metadata lists 'Required env vars: none' and 'Primary credential: none', which is incorrect and misleading — users may install without realizing they must provide sensitive app secrets. The runtime also uses cached user tokens (token cache files) which may contain sensitive tokens and should be stored/handled securely.
Persistence & Privilege
Flags show always=false and the skill does not request persistent platform privileges. It writes only to its own outputs (published CSV/MD) and token cache; there is no evidence it alters other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install content-system-feishu-bitable-sync - 安装完成后,直接呼叫该 Skill 的名称或使用
/content-system-feishu-bitable-sync触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of feishu-bitable-sync.
- Allows users to sync reviewed local `wechat-report` results to Feishu Bitable with explicit confirmation.
- Supports both Markdown and JSON wechat report formats as input.
- Requires Feishu-related environment variables for setup.
- Handles user auth: requests manual authorization if needed and caches user tokens.
- Failed sync attempts trigger CSV fallback export.
- Ensures idempotent sync by de-duplicating via `source_url` and updating existing rows.
元数据
常见问题
Content System Feishu Bitable Sync 是什么?
Sync a local `wechat-report` result into Feishu Bitable after the user has reviewed the report and confirmed the sync. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 81 次。
如何安装 Content System Feishu Bitable Sync?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install content-system-feishu-bitable-sync」即可一键安装,无需额外配置。
Content System Feishu Bitable Sync 是免费的吗?
是的,Content System Feishu Bitable Sync 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Content System Feishu Bitable Sync 支持哪些平台?
Content System Feishu Bitable Sync 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Content System Feishu Bitable Sync?
由 Abigale-cyber(@abigale-cyber)开发并维护,当前版本 v1.0.0。
推荐 Skills