← 返回 Skills 市场
490
总下载
0
收藏
9
当前安装
1
版本数
在 OpenClaw 中安装
/install official-feishu-toolkit
功能描述
飞书开放平台全面集成工具包。支持日历与会议室预约、消息发送、审批流程、多维表格操作、通讯录查询和考勤管理六大核心办公模块。
安全使用建议
What to check before installing:
- Do NOT run curl https://backend.clawd.org.cn/... | sh without review. That command downloads and executes an external script from an unknown host—inspect the script contents and verify its source first.
- Verify the 'uv' brew formula: confirm which tap provides it and inspect the formula contents. 'uv' is not a common system dependency for Python/uvicorn, so confirm it's legitimate for your environment.
- The skill will get FEISHU_APP_ID and FEISHU_APP_SECRET; those credentials let the app obtain tenant_access_token and perform all API actions listed (send messages, read contacts, manage approvals, attendance, bitable, calendar). Only grant the minimum permissions needed in the Feishu developer console and consider using a dedicated test app/tenant first.
- If you want lower risk, install from the included source files directly: create a Python virtualenv, pip install the package dependencies from pyproject.toml, set env vars locally, and run uvicorn pointing at feishu_toolkit.main — avoid opaque install scripts.
- If the publisher can provide an official homepage or signed release (or if the install script is hosted on a well-known, verifiable domain such as a GitHub release), that would reduce supply-chain concern; ask the publisher for those artifacts. If you cannot verify the install sources, treat this skill as higher risk.
功能分析
Type: OpenClaw Skill
Name: official-feishu-toolkit
Version: 1.0.0
The skill's core functionality and runtime code appear benign, providing a comprehensive toolkit for Feishu API integration (calendar, messaging, approval, etc.). All external API calls are directed to the official Feishu domain. However, the installation instructions in `SKILL.md` and `README.md` recommend executing a remote script via `curl -sL "https://backend.clawd.org.cn/api/skills/official%2Ffeishu-toolkit/install.sh" | sh`. While `clawd.org.cn` is presumed to be the official OpenClaw backend, this `curl | sh` pattern represents a significant Remote Code Execution (RCE) vulnerability, as it executes arbitrary code downloaded from a remote server without prior inspection. This is a high-risk installation method, classifying the skill as suspicious due to this inherent vulnerability, even without evidence of malicious intent in the skill's own code or explicit prompt injection.
能力评估
Purpose & Capability
Name/description (Feishu toolkit) match the code and declared env vars: the server implements calendar, messaging, approval, bitable, contacts and attendance APIs and only requires FEISHU_APP_ID / FEISHU_APP_SECRET. The required binary 'uv' is odd but is used in the README/SKILL.md to run virtualenv/pip/uvicorn; it's not fundamentally incompatible with the stated purpose.
Instruction Scope
Runtime instructions are scoped to running a local FastAPI service and configuring FEISHU credentials; the code reads only FEISHU_APP_ID, FEISHU_APP_SECRET and optional FEISHU_APPROVAL_CODES. No instructions request unrelated host files or extra credentials. However the README/SKILL.md provides an alternative installation command that pipes a remote install.sh from https://backend.clawd.org.cn | sh — that downloads+executes an external script outside the package, which expands the runtime scope and risk.
Install Mechanism
Registry metadata lists a brew formula 'uv' (creates binary 'uv'), and SKILL.md suggests using a curl | sh installer hosted at backend.clawd.org.cn. Both raise supply-chain risk: 'uv' is an uncommon binary name (not the usual 'python'/'uvicorn') and the external install.sh URL is a direct download-and-execute from an unknown host. The install mechanisms are inconsistent (brew vs curl) and should be inspected before running.
Credentials
Requested environment variables are FEISHU_APP_ID and FEISHU_APP_SECRET (primaryEnv FEISHU_APP_ID) and an optional FEISHU_APPROVAL_CODES. These are appropriate and proportionate for a Feishu integration; the code uses them to obtain tenant_access_token and call open.feishu.cn APIs. No unrelated secrets or extra service credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide configs. It runs as a user service (FastAPI) and uses standard token caching; autonomous invocation is enabled by default but not combined with other escalating privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install official-feishu-toolkit - 安装完成后,直接呼叫该 Skill 的名称或使用
/official-feishu-toolkit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Feishu Toolkit v1.0.1
- 新增 SKILL.md,提供全面的安装、配置及功能说明文档
- 详细列出支持的六大办公模块:日历、消息、审批、多维表格、通讯录、考勤
- 明确环境变量、所需权限及安装方式,便于用户快速集成与使用
- 补充各模块示例指令和常见问题说明
- 提供相关官方资源和详细文档链接
元数据
常见问题
Official Feishu Toolkit 是什么?
飞书开放平台全面集成工具包。支持日历与会议室预约、消息发送、审批流程、多维表格操作、通讯录查询和考勤管理六大核心办公模块。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 490 次。
如何安装 Official Feishu Toolkit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install official-feishu-toolkit」即可一键安装,无需额外配置。
Official Feishu Toolkit 是免费的吗?
是的,Official Feishu Toolkit 完全免费(开源免费),可自由下载、安装和使用。
Official Feishu Toolkit 支持哪些平台?
Official Feishu Toolkit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Official Feishu Toolkit?
由 Radium(@radium0028)开发并维护,当前版本 v1.0.0。
推荐 Skills