Feishu Docx
v1.0.2飞书云文档(docx)的创建与编辑技能。支持通过 API 创建文档、追加内容、批量更新块等操作。使用此技能需要提供 App ID 和 App Secret。
⭐ 0· 358·2 current·3 all-time
by@cpjhy
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be a Feishu Docx create/edit helper and therefore would reasonably need an App ID and App Secret — however the registry metadata lists no required env vars or primary credential. The code embeds an App ID, App Secret and a folder_token directly in multiple scripts (and prints tenant doc URLs), which is inconsistent with the registry declaring no credentials and exposes account-scoped secrets/targets.
Instruction Scope
SKILL.md and code show expected Feishu API calls, but multiple included scripts reference absolute local filesystem paths (e.g. /Users/cpjhy0535/.openclaw/... ) and will read and upload local files. SKILL.md also prints explicit secret values. The instructions/code therefore have scope beyond just calling an API: they assume access to specific local files and target a specific folder/account.
Install Mechanism
No install spec (instruction-only) reduces installation risk, but the package includes executable Python scripts. There is no declared install step or sandboxing: running these scripts will execute network calls and filesystem reads. That means the risk is operational (what you run) rather than coming from a remote installer.
Credentials
Although registry metadata lists no required env vars, SKILL.md tells users to set FEISHU_APP_ID and FEISHU_APP_SECRET — and the same credentials are hard-coded in multiple scripts along with a folder_token. Hard-coded credentials and account-scoped folder tokens are disproportionate and unsafe. The skill requires credential-level access to a Feishu tenant but does not declare or justify that access in metadata.
Persistence & Privilege
The skill is not always: true, is user-invocable, and allows autonomous invocation by default (normal). It does not request to modify other skills or system-wide settings in the provided files.
What to consider before installing
Do not blindly run these scripts. Key issues: (1) multiple files contain hard-coded Feishu App ID, App Secret and folder_token — treat these as leaked credentials; avoid using them. (2) Several scripts read absolute local paths and will upload local files if executed — inspect and edit paths before running. (3) The registry metadata claims no required env vars but SKILL.md requires FEISHU_APP_ID/FEISHU_APP_SECRET — this mismatch is suspicious. Recommended actions before installing or running: review and remove any hard-coded secrets, replace with your own credentials stored in environment variables, verify the folder_token and tenant are ones you control (rotate secrets if you used the exposed values), search your environment for any accidental use of the included absolute paths, and run the code in a sandboxed environment. If you cannot verify the provenance of the embedded credentials and folder targets, avoid using the skill.Like a lobster shell, security has layers — review code before you run it.
latest
Feishu Docx Skill
本技能封装了飞书云文档(docx)API 的核心操作,允许老大快速对飞书文档进行读写操作。
认证信息
使用该技能前,需确保已设置以下环境变量或在代码中显式传入:
FEISHU_APP_ID: cli_a92c5076b7789cd2FEISHU_APP_SECRET: 9jPdCn49G54RFoEoDPUCVcptnWZnTZqp
核心工作流
- 获取访问令牌: 使用
tenant_access_token进行应用级别的认证。 - 创建文档: 调用
POST /open-apis/docx/v1/documents创建一个空的或指定标题的文档。 - 写入/编辑内容:
- 追加块:
POST /open-apis/docx/v1/documents/{document_id}/blocks/{block_id}/children - 批量更新:
POST /open-apis/docx/v1/documents/{document_id}/blocks/batch_update
- 追加块:
使用示例 (Python)
from scripts.feishu_docx_client import FeishuDocx
client = FeishuDocx(app_id="cli_a92c5076b7789cd2", app_secret="9jPdCn49G54RFoEoDPUCVcptnWZnTZqp")
# 1. 创建文档
doc_id = client.create_document("测试文档")
# 2. 追加文本
client.append_text(doc_id, "这是由 OpenClaw 写入的内容。")
资源
- 客户端脚本:
scripts/feishu_docx_client.py封装了常用的 API 调用。 - 参考文档: 请参考 REFERENCES.md 了解更多 Block 类型和 API 细节。
Comments
Loading comments...