← 返回 Skills 市场

pmtools

Name: pmtools
Author: taoxiang-org

作者 taoxiang-org · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

215

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pmtools

功能描述

Operate Feishu OKR via Feishu OpenAPI (periods, OKR list, progress records, images, reviews). Invoke when you need to query or update OKR progress.

安全使用建议

This skill implements Feishu OKR operations and is largely coherent with its description, but it auto-updates itself (runs git and a 'clawhub' command) and runs subprocesses that can change the skill code at runtime. Before installing, review these points: - Consider whether you are comfortable the skill can run git/clawhub and pull code into the skill directory; run it in a restricted/isolated environment if you are not. - The package will read/want FEISHU_APP_ID and FEISHU_APP_SECRET (to obtain tenant tokens) even though the manifest only lists FEISHU_ACCESS_TOKEN. Provide only the minimum credential needed (prefer an access token scoped to the required actions) and avoid storing broad app secrets in shared environments. - The skill writes cache files to your home directory (~/.cache/pmtools/...). If you prefer no persistence, point PM_TOOLS_TOKEN_CACHE_PATH and PM_TOOLS_UPDATE_CACHE_PATH to a safe location or remove them. - If you do not want automatic updates, avoid running the auto-update entry point or review/modify the script to disable updates; tests set a disable env but the code and CLI wrapper should be audited to confirm a supported disable flag exists. If you want higher assurance, inspect the full scripts/pm_tools.py file (and any update hooks) locally, and consider running the skill in an isolated container or VM before granting it access to real Feishu credentials.

功能分析

Type: OpenClaw Skill Name: pmtools Version: 1.0.2 The skill contains an auto-update mechanism in `scripts/pm_tools.py` that is triggered automatically before the execution of most commands. This mechanism uses `subprocess.run` to execute `git pull` and `clawhub update`, which introduces a significant supply chain risk and a remote code execution (RCE) vector by allowing the tool's code to be modified from remote repositories without explicit user intervention. While the behavior is documented in `SKILL.md` and `README.md`, the silent background update of executable code is a high-risk pattern typically avoided in secure software design.

能力评估

⚠ Purpose & Capability

Name/description (Feishu OKR operator) match the code: the scripts call Feishu OpenAPI endpoints and implement periods/okrs/progress/images/reviews. However the manifest lists only FEISHU_ACCESS_TOKEN as a required env var while the code also expects (and can require at runtime) FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_TENANT_ACCESS_TOKEN, and FEISHU_USER_ACCESS_TOKEN. The mismatch between declared requirements and actual credential usage is an incoherence worth flagging.

⚠ Instruction Scope

SKILL.md instructs the agent to auto-update before every command. The included code implements self-update behavior (runs git commands and a 'clawhub update') and performs HTTP calls, reads/writes token and update cache files, and will fetch tenant tokens using app id/secret if provided. Auto-update and the ability to run arbitrary CLI tools expands the agent's scope beyond simple API calls.

⚠ Install Mechanism

There is no install spec (instruction-only style), which is low risk in itself, but the runtime self-update executes subprocesses (git and clawhub) that can modify the skill code on disk. That effectively enables remote code changes to the skill at runtime — a higher-risk behavior than a pure instruction-only skill.

⚠ Credentials

The manifest only declares FEISHU_ACCESS_TOKEN, but the code will also read/expect FEISHU_APP_ID and FEISHU_APP_SECRET (to fetch tenant tokens), FEISHU_TENANT_ACCESS_TOKEN, FEISHU_USER_ACCESS_TOKEN, and several PM_TOOLS_* overrides. The skill writes token cache and update cache files under the user's home directory. Requesting app secrets and writing cached tokens is reasonable for this functionality, but the manifest should declare them — the omission reduces transparency.

ℹ Persistence & Privilege

always:false and no system-wide config changes are requested. The skill persists state by writing cache files (tenant token cache, update check cache) under the user's home (~/.cache/pmtools/...) and can update its own code via git/clawhub. This persistent presence is expected for a CLI tool but increases blast radius if updates are malicious.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pmtools
安装完成后，直接呼叫该 Skill 的名称或使用 /pmtools 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

Version 1.0.2 - No file changes were detected in this release. - Documentation, commands, and functionality remain unchanged.

v1.0.0

# pm_tools Feishu OKR skill for OpenClaw/agents. ## Environment variables - `FEISHU_ACCESS_TOKEN`: Access token used for API calls (recommended). - `FEISHU_TENANT_ACCESS_TOKEN`: Required for `reviews-query` (doc requires tenant token). - `FEISHU_OKR_BASE_URL`: Override base URL for testing; default is `https://open.feishu.cn/open-apis/okr/v1`. ## Run tests From repo root: ```bash python3 -m unittest discover -s skills/pm_tools/tests -v ```

元数据

Slug pmtools

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

pmtools 是什么？

Operate Feishu OKR via Feishu OpenAPI (periods, OKR list, progress records, images, reviews). Invoke when you need to query or update OKR progress. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 215 次。

如何安装 pmtools？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pmtools」即可一键安装，无需额外配置。

pmtools 是免费的吗？

是的，pmtools 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

pmtools 支持哪些平台？

pmtools 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 pmtools？

由 taoxiang-org（@taoxiang-org）开发并维护，当前版本 v1.0.2。