← 返回 Skills 市场
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install feishu-api
功能描述
飞书开放平台 API 技能。用于:(1) 调用飞书开放 API 完成插件以外的操作(如批量写入、权限管理、文件夹操作等);(2) 实现 OAuth 用户授权流程;(3) 批量数据处理。 当用户提到飞书 API、飞书开放平台、OAuth 授权、user_access_token,或需要批量操作飞书数据(多维表格批量...
使用说明 (SKILL.md)
飞书开放平台 API
本技能提供直接调用飞书开放 API 的能力,作为飞书插件工具的补充。
核心概念
认证方式
| 类型 | 用途 | 有效期 |
|---|---|---|
tenant_access_token |
应用身份调用 API | 2小时 |
user_access_token |
代表用户操作 | 有效期短,需刷新 |
重要:所有脚本中不得硬编码 app_id、app_secret、access_token。从配置文件读取或使用环境变量。
读取凭据
飞书凭据存储在 ~/.openclaw/openclaw.json 的 channels.feishu 下:
import json
with open('/root/.openclaw/openclaw.json') as f:
config = json.load(f)
feishu_cfg = config.get('channels', {}).get('feishu', {})
APP_ID = feishu_cfg.get('appId', '')
APP_SECRET = feishu_cfg.get('appSecret', '')
典型工作流
1. 获取 Token
import ssl, urllib.request, json
def get_app_access_token(app_id, app_secret):
url = 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal'
data = json.dumps({'app_id': app_id, 'app_secret': app_secret}).encode()
req = urllib.request.Request(url, data=data, method='POST')
req.add_header('Content-Type', 'application/json')
ctx = ssl._create_unverified_context()
with urllib.request.urlopen(req, context=ctx, timeout=10) as r:
return json.loads(r.read()).get('tenant_access_token')
2. 调用 API
def call_feishu_api(url, method, token, payload=None):
ctx = ssl._create_unverified_context()
data = json.dumps(payload, ensure_ascii=False).encode() if payload else None
req = urllib.request.Request(url, data=data, method=method)
req.add_header('Authorization', f'Bearer {token}')
req.add_header('Content-Type', 'application/json')
with urllib.request.urlopen(req, context=ctx, timeout=30) as r:
return json.loads(r.read())
3. 批量操作多维表格
# 批量创建记录
url = f'https://open.feishu.cn/open-apis/bitable/v1/apps/{app_token}/tables/{table_id}/records/batch_create'
payload = {'records': [{'fields': {'字段名': '值'}} for item in items]}
result = call_feishu_api(url, 'POST', token, payload)
# 批量删除记录
url = f'https://open.feishu.cn/open-apis/bitable/v1/apps/{app_token}/tables/{table_id}/records/batch_delete'
payload = {'records': ['record_id_1', 'record_id_2']}
result = call_feishu_api(url, 'POST', token, payload)
4. 权限管理
# 添加协作者
url = f'https://open.feishu.cn/open-apis/drive/v1/permissions/{file_token}/members?type=bitable'
payload = {
'member_type': 'openid', # 或 email, userid, unionid
'member_id': 'ou_xxx', # 用户 open_id
'perm': 'edit' # view | edit | full_access
}
result = call_feishu_api(url, 'POST', token, payload)
常用 API 端点
| 功能 | 端点 |
|---|---|
| 批量创建多维表格记录 | POST /bitable/v1/apps/{app_token}/tables/{table_id}/records/batch_create |
| 批量删除多维表格记录 | POST /bitable/v1/apps/{app_token}/tables/{table_id}/records/batch_delete |
| 更新记录 | PUT /bitable/v1/apps/{app_token}/tables/{table_id}/records/{record_id} |
| 添加权限成员 | POST /drive/v1/permissions/{file_token}/members?type={type} |
| 列出权限成员 | GET /drive/v1/permissions/{file_token}/members?type={type} |
| 创建文件夹 | POST /drive/v1/files/create_folder |
| 移动文件 | POST /drive/v1/files/{file_token}/move |
| 上传文件 | POST /drive/v1/files/upload_all |
详细参考
- OAuth 授权流程:参见 references/oauth.md
- 多维表格 API:参见 references/bitable.md
- 云文档管理:参见 references/drive.md
数据安全准则
- 不硬编码凭据 - 始终从配置文件读取
- 不输出敏感信息 - 不打印 token、secret 等
- 最小权限 - 仅申请所需的权限范围
- 定期刷新 - token 过期前刷新
速率限制
- 普通 API:每应用每秒 10 请求
- 上传文件:每应用每分钟 60 次
- 批量接口:每批最大 50 条记录
安全使用建议
Before installing, consider these points:
- The skill will try to read Feishu credentials from a local config file (examples show '/root/.openclaw/openclaw.json' and '~/.openclaw/openclaw.json') but the package metadata doesn't declare that config path or any required secrets — ask the author to declare required config paths or accept credentials via environment variables instead.
- The Python code disables TLS certificate verification (ssl._create_unverified_context), which makes network traffic vulnerable to MITM; require fixing this to verify certificates in production.
- Verify the script's file-reading behavior and that it won't attempt to access other sensitive files. The hardcoded /root path is unusual — confirm it will work under your agent user and won't leak other system files.
- Inspect and test the file-upload implementation (references/drive.md) — it builds multipart payloads by interpolating binary data into strings which can corrupt binary uploads and may be memory-inefficient.
- Ask the maintainer to: (1) declare required config paths or env vars in metadata, (2) remove unverified SSL contexts, (3) support configurable credential locations (env vars or explicit config parameter) instead of fixed '/root' paths, and (4) document expected permissions/scopes for OAuth.
- If you must use it now, run it in a restricted environment, audit the openclaw.json contents, and avoid running with elevated privileges until these issues are resolved.
These issues look like sloppy engineering rather than clearly malicious intent, but they increase risk — require the fixes above or more information from the author before trusting the skill.
功能分析
Type: OpenClaw Skill
Name: feishu-api
Version: 1.0.0
The skill provides functional Feishu API integration but contains a significant security vulnerability by explicitly disabling SSL certificate verification (using ssl._create_unverified_context) in scripts/feishu_utils.py and SKILL.md, making the agent susceptible to Man-in-the-Middle (MITM) attacks. Additionally, it targets a specific sensitive configuration path (/root/.openclaw/openclaw.json) to retrieve credentials. While these practices are high-risk and insecure, there is no clear evidence of intentional malice or data exfiltration to non-Feishu domains.
能力标签
能力评估
Purpose & Capability
Name/description claim Feishu API and OAuth handling which matches the provided code and docs, but the skill expects credentials in a local config file (~/.openclaw/openclaw.json / /root/.openclaw/openclaw.json) while the registry metadata declares no required config paths or credentials — this mismatch is unexpected and should have been declared.
Instruction Scope
SKILL.md and the included scripts instruct the agent to read a specific local file (/root/.openclaw/openclaw.json) for secrets and to perform network calls to Feishu endpoints — these are coherent with the Feishu purpose, but the instructions also embed use of ssl._create_unverified_context() (disables TLS verification) in multiple request functions, which weakens transport security and is a notable security concern.
Install Mechanism
There is no install spec (instruction-only plus utility script). No remote downloads or third-party package installs are requested, which lowers supply-chain risk.
Credentials
The skill asks to read sensitive credentials from a local configuration file but declares no required env vars or config paths in metadata. Also the code uses an absolute '/root/.openclaw/openclaw.json' path (and SKILL.md refers to '~/.openclaw'), which is inconsistent and may imply elevated filesystem expectations. Secrets access is not explicitly declared/justified in the registry metadata.
Persistence & Privilege
always:false and model invocation not disabled (normal). The skill does not request persistent platform-wide privileges or modify other skills; no elevated 'always' privilege is present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install feishu-api - 安装完成后,直接呼叫该 Skill 的名称或使用
/feishu-api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
初始版本:包含 OAuth 流程、多维表格批量操作、云文档权限管理、工具脚本
元数据
常见问题
飞书开放平台 API 是什么?
飞书开放平台 API 技能。用于:(1) 调用飞书开放 API 完成插件以外的操作(如批量写入、权限管理、文件夹操作等);(2) 实现 OAuth 用户授权流程;(3) 批量数据处理。 当用户提到飞书 API、飞书开放平台、OAuth 授权、user_access_token,或需要批量操作飞书数据(多维表格批量... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 飞书开放平台 API?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install feishu-api」即可一键安装,无需额外配置。
飞书开放平台 API 是免费的吗?
是的,飞书开放平台 API 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
飞书开放平台 API 支持哪些平台?
飞书开放平台 API 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 飞书开放平台 API?
由 Noir(@noir-hedgehog)开发并维护,当前版本 v1.0.0。
推荐 Skills