← 返回 Skills 市场

my-lark

Name: my-lark
Author: longsasasasasa

作者 LONGSASASASASA · GitHub ↗ · v3.0.0 · MIT-0

cross-platform ⚠ suspicious

111

总下载

当前安装

版本数

在 OpenClaw 中安装

/install my-lark

功能描述

飞书全能力技能。基于飞书官方工具服务，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。面向小白：安装即用，每一步都有操作指引；面向AI：每个接口均有调用示例、参数说明、权限要求和异常处理。触发词：发消息、搜索文档、查日历、查审批、建日程、拉群列表等。

安全使用建议

Do not install or run this skill in a production or sensitive account until the credential issue is resolved. Key points to consider before proceeding: - The shipped Python code contains a hardcoded App ID and App Secret: that means some API calls will be made under those embedded credentials (likely belonging to the skill author), not under your app. This can give the author/control-plane visibility or control over actions and is a privacy/security risk. - Ask the maintainer to remove hardcoded credentials and to use only the token file you provide, or replace the values in the code with your own app_id/app_secret before use. Prefer a version that reads credentials only from the documented token file. - Resolve the path inconsistencies (the docs alternate between /workspace/.lark_tokens.json and ~/.lark_tokens.json and reference differing script locations) so you know exactly which file is used. - Review or audit the lark-mcp npm package before installing it globally, and consider running the skill in an isolated environment (separate account or sandbox) first. - If you already used this skill with sensitive tokens, rotate those credentials (app_secret / tokens) to be safe.

功能分析

Type: OpenClaw Skill Name: my-lark Version: 3.0.0 The skill bundle contains hardcoded Feishu (Lark) credentials (APP_ID and APP_SECRET) in the 'lark_mcp.py' script, which directly contradicts the explicit claim in 'SKILL.md' that the skill contains no credentials. This discrepancy is a significant security risk. Furthermore, the documentation includes a 'one-click check' command that prints the contents of the sensitive '/workspace/.lark_tokens.json' file to the console, exposing user tokens to the AI agent's execution context. While the script interacts with the legitimate 'open.feishu.cn' domain, the presence of hardcoded secrets and the misleading documentation suggest either severe negligence or a potential attempt to facilitate unauthorized access if a user inadvertently grants permissions to the hardcoded application ID (cli_a9c97317ef78dbc6).

能力评估

⚠ Purpose & Capability

The skill is a Feishu/Lark integration and legitimately needs app/user credentials and the lark-mcp CLI. However SKILL.md repeatedly states "技能本身不含任何凭证" and instructs users to store credentials in /workspace/.lark_tokens.json, while lark_mcp.py contains hardcoded APP_ID and APP_SECRET values. That contradicts the stated claim and means the skill will perform some actions under the embedded credentials rather than the user's.

⚠ Instruction Scope

Instructions reference several different token paths (primary instructions use /workspace/.lark_tokens.json but some reference files under ~/.lark_tokens.json and different file locations for the script). The provided runtime commands point at /workspace/skills/lark-skill/lark_mcp.py while the script header and manifest suggest different paths. The code will read /workspace/.lark_tokens.json for user token use but will ignore it for App Token calls because APP_ID/APP_SECRET are hardcoded.

✓ Install Mechanism

No install spec in the bundle; SKILL.md suggests installing @larksuite/lark-mcp via npm (a normal public package). There is no download-from-arbitrary-URL or archive extraction in the manifest.

⚠ Credentials

The skill requests no environment variables, but the code includes hardcoded credentials (APP_ID and APP_SECRET) inside lark_mcp.py. This is disproportionate to the stated promise that the skill contains no credentials and means actions may occur under the author's/maintainer's app identity rather than the user's — a potential for unwanted access or data exposure.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide persistence or modify other skills. It performs network calls to Feishu and runs a local CLI subprocess, which is expected for this functionality.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install my-lark
安装完成后，直接呼叫该 Skill 的名称或使用 /my-lark 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.0.0

my-lark 3.0.0 - 全面升级为飞书全能力技能，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。 - 针对小白用户提供逐步操作指引，一键检查及详尽安装说明。 - 每个接口均含调用示例、参数说明、权限要求和异常处理，适合 AI 自动化集成。 - 支持便捷命令及底层 API 任意调用，覆盖常用业务场景。 - 新增标准凭证统一管理，便于多接口协同调用。 - 更新/细化功能场景列表、依赖检测、权限配置与完整调用流程。

元数据

Slug my-lark

版本 3.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

my-lark 是什么？

飞书全能力技能。基于飞书官方工具服务，支持消息、群组、云文档、云盘、知识库、日历、审批、多维表格、电子表格、画板、通讯录全部模块。面向小白：安装即用，每一步都有操作指引；面向AI：每个接口均有调用示例、参数说明、权限要求和异常处理。触发词：发消息、搜索文档、查日历、查审批、建日程、拉群列表等。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 111 次。

如何安装 my-lark？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install my-lark」即可一键安装，无需额外配置。

my-lark 是免费的吗？

是的，my-lark 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

my-lark 支持哪些平台？

my-lark 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 my-lark？

由 LONGSASASASASA（@longsasasasasa）开发并维护，当前版本 v3.0.0。