← 返回 Skills 市场

Feishu Chat Server API

Name: Feishu Chat Server API
Author: wodenwang

作者 woden · GitHub ↗ · v0.1.3 · MIT-0

darwinlinux ⚠ suspicious

129

总下载

当前安装

版本数

在 OpenClaw 中安装

/install feishu-chat-server-api

功能描述

Manage Feishu group chats through Feishu server APIs, including create, get details, list members, add members, remove members, and disband chats.

使用说明 (SKILL.md)

Feishu Chat Server API

这个 skill 负责飞书群组管理相关能力，当前覆盖以下 action：

feishu-chat-create
feishu-chat-get
feishu-chat-members-list
feishu-chat-member-add
feishu-chat-member-remove
feishu-chat-disband

何时使用

当用户请求与飞书群组本身相关的操作时使用这个 skill，例如：

创建一个新群
查看某个群的详情
列出群成员
往群里加人
从群里移人
解散群

如果用户请求的是消息发送、卡片、文档、多维表格、审批等能力，不要用这个 skill，应该路由到对应模块级 skill。

路由规则

根据用户意图选择具体 action：

创建群：feishu-chat-create
获取群详情：feishu-chat-get
获取群成员列表：feishu-chat-members-list
拉人入群：feishu-chat-member-add
移出群成员：feishu-chat-member-remove
解散群：feishu-chat-disband

不要把“移除一个成员”和“解散整个群”混淆。

通用输入

凭证优先级如下：

action 显式传入 app_id / app_secret
当前工作目录下的 .local/feishu-extension-skills.json
环境变量 FEISHU_APP_ID / FEISHU_APP_SECRET

如果这 3 层都没有命中，调用会失败。

也可以在调用命令里通过 --config-file /path/to/file.json 显式指定本地配置文件路径。

群相关 action 还需要按场景提供：

chat_id
name
user_id_list
member_id

约束：

只接受飞书 user_id 或 open_id
不要自行猜测邮箱、手机号、姓名对应的用户 ID

调用命令

统一调用入口：

uvx --from git+https://github.com/wodenwang/feishu-extension-skills.git feishu-extension-skills invoke \x3Caction> --args-json '\x3Cjson>'

ClawHub 安装：

clawhub install feishu-chat-server-api

本地配置文件示例：

{
  "app_id": "cli_xxx",
  "app_secret": "sec_xxx"
}

示例：

uvx --from git+https://github.com/wodenwang/feishu-extension-skills.git feishu-extension-skills invoke feishu-chat-create --args-json '{"app_id":"cli_xxx","app_secret":"sec_xxx","name":"项目临时群","user_id_list":["ou_xxx","ou_yyy"]}'

uvx --from git+https://github.com/wodenwang/feishu-extension-skills.git feishu-extension-skills invoke feishu-chat-member-add --args-json '{"app_id":"cli_xxx","app_secret":"sec_xxx","chat_id":"oc_xxx","user_id_list":["ou_xxx"]}'

当前未覆盖

这个 skill 当前还没有封装以下群治理接口：

更新群信息
更新群发言权限
获取群成员发言权限
更新群置顶 / 撤销群置顶
获取用户或机器人所在的群列表
搜索可见群列表
获取群分享链接

安全使用建议

What to check before installing: - Confirm which CLI is required: the SKILL.md uses 'uvx' but the manifest/install references 'uv' — verify the correct binary and its origin. - Inspect the GitHub repository (https://github.com/wodenwang/feishu-extension-skills) before use: the runtime examples pull and execute code from that repo (git+https). Running externally fetched code with your Feishu credentials could exfiltrate secrets. - Avoid passing app_secret on the command line; prefer environment variables or a secured config file, and protect local config (.local/feishu-extension-skills.json). - Verify the brew formula 'uv' is the intended, trusted package and whether it provides 'uvx' behavior; if not, the install spec is incomplete/misleading. - If you need stronger assurance, ask the publisher for the exact code bundle the skill will execute (or include the code in the skill package) and ensure the agent runs it in a restricted environment. Until these issues are resolved, treat this skill as potentially risky and consider not enabling autonomous invocation.

功能分析

Type: OpenClaw Skill Name: feishu-chat-server-api Version: 0.1.3 The skill acts as a wrapper that instructs the agent to execute remote code via 'uvx' from a GitHub repository (github.com/wodenwang/feishu-extension-skills.git) rather than providing local logic. While this behavior is plausibly intended for its stated purpose of Feishu API management, the pattern of fetching and running remote payloads at runtime is a high-risk execution model that facilitates supply chain attacks. No explicit malicious intent or data exfiltration was found in the provided SKILL.md or _meta.json.

能力评估

ℹ Purpose & Capability

The skill claims to manage Feishu chats and expects Feishu app_id/app_secret at runtime, which is appropriate. However registry metadata requires the 'uv' binary while the runtime examples call 'uvx' (different binary). The skill also does not declare FEISHU_APP_ID/FEISHU_APP_SECRET in its manifest even though SKILL.md references them as credential fallbacks. These mismatches reduce confidence that the declared requirements accurately reflect what will actually run.

⚠ Instruction Scope

SKILL.md instructs calls like `uvx --from git+https://github.com/wodenwang/feishu-extension-skills.git ... invoke <action> --args-json '<json>'`. That means the agent will fetch and execute code from a GitHub repo at runtime rather than using only the shipped skill bundle. The docs also show passing app_secret on the command line (exposed to shell history/process list). The skill instructs where to read credentials (explicit args, .local/feishu-extension-skills.json, or ENV), which is reasonable, but the dynamic fetching+execution of remote code combined with CLI-passed secrets is a notable risk.

⚠ Install Mechanism

The manifest provides a brew install for formula 'uv' (low-risk installer), but the runtime examples call 'uvx' and use a --from git+https source to pull the extension at invocation time. The install spec does not cover the dynamic git+https fetch; executing code pulled from a remote repository at runtime increases attack surface. Also the referenced brew formula name and the binary name used in examples don't match.

ℹ Credentials

The only credentials needed for Feishu operations are app_id/app_secret, which the SKILL.md documents as required in either arguments, a local config file, or environment variables — this is proportionate. However the manifest does not declare FEISHU_APP_ID/FEISHU_APP_SECRET even though the instructions reference them. Also the examples encourage passing secrets in command-line JSON, which risks exposure (shell history, process list).

ℹ Persistence & Privilege

The skill does not request always:true and is user-invocable only (good). However the agent is allowed to invoke the skill autonomously (default), and because the skill's instructions fetch and run remote code, autonomous invocation would increase blast radius. Consider limiting autonomous use until the external code provenance is verified.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install feishu-chat-server-api
安装完成后，直接呼叫该 Skill 的名称或使用 /feishu-chat-server-api 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.3

Add --config-file support for local auth config

v0.1.2

Add local config fallback for app credentials

v0.1.1

Sanitize docs and localize UAT secrets handling

v0.1.0

Initial ClawHub release for Feishu Chat Server API

元数据

Slug feishu-chat-server-api

版本 0.1.3

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 4

常见问题