ClawHub

Feishu Contacts

v1.2.0

Search Feishu contacts by name/pinyin/department. Use when you need to find a person's open_id, email, or department info before sending messages or emails.

0· 328·6 current·6 all-time
by@guyun94
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the script syncs from Feishu Open API and provides search/list/get operations. However, registry metadata did not declare the required config path (~/.openclaw/openclaw.json) even though SKILL.md and the script require it for appId/appSecret. The metadata and SKILL.md both require python3 and pypinyin, which is proportionate.
Instruction Scope
SKILL.md and the script instruct the agent to read ~/.openclaw/openclaw.json for Feishu app credentials and to write a persistent cache at ~/.openclaw/.feishu-contacts-cache.json. Those actions are consistent with syncing/searching contacts, but they do cause local persistence of potentially sensitive contact data. The instructions do not call out unexpected remote endpoints (they use open.feishu.cn), nor do they attempt to read unrelated system files. The explicit requirement to place secrets in a home config file should be noted.
Install Mechanism
No install spec is provided (instruction-only with an included script). This minimizes supply-chain risk compared to arbitrary downloads. The skill does include a Python script that will be executed when invoked.
!
Credentials
The skill requests no environment variables, but it requires access to a local config file (~/.openclaw/openclaw.json) that must contain Feishu appId/appSecret. The registry metadata failed to declare this required config path, which is an inconsistency. Also the cache file stores user emails/IDs/possibly phone numbers locally in plaintext — this is expected for a contacts tool but is high-value sensitive data and should be protected.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. It persists a cache file in the user's home directory and reads/writes its own files under ~/.openclaw, which is normal for this purpose. Autonomous invocation is enabled by default (platform default); this is not in itself flagged but you should be aware an agent could call the skill unless you restrict it.
What to consider before installing
What to consider before installing: 1) The skill requires you to put Feishu appId/appSecret into ~/.openclaw/openclaw.json — verify you trust the skill code before storing credentials there. 2) It will download and persist contact data (emails, open_ids, etc.) to ~/.openclaw/.feishu-contacts-cache.json in plaintext; decide whether this local storage is acceptable. 3) The registry metadata omitted the required config path, which is an inconsistency; prefer skills whose metadata accurately lists required files/credentials. 4) The included Python script contains minor coding issues (possible syntax/logic bugs) — test it in a safe environment before using in production. 5) If you do not want the agent to call this skill autonomously, restrict agent permissions or disable autonomous invocation. If you need help auditing the full script for bugs or hidden network calls, consider sharing the complete file for review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📇 Clawdis
Binspython3
latestvk97421f7gset11qy71ysx1kh7x82a6qp
328downloads
0stars
1versions
Updated 1mo ago
v1.2.0
MIT-0
@guyun94
latest
Download

Feishu Contacts Search

飞书通讯录本地缓存搜索。支持中文名、拼音、拼音首字母、英文名模糊匹配。

Setup (first time only)

确保 ~/.openclaw/openclaw.json 中已配置飞书应用凭据:

{
  "channels": {
    "feishu": {
      "appId": "cli_xxx",
      "appSecret": "xxx"
    }
  }
}

飞书应用需要以下权限:

  • contact:user:read — 读取用户信息
  • contact:user:read_v2 — 读取用户详细信息
  • contact:department:read — 读取部门信息

安装后首次使用前,执行同步:

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py sync

Script Location

~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py

Commands

同步通讯录(定期执行,新入职的人需要 sync 才能搜到)

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py sync

搜索用户

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py search <人名>

支持:中文名、拼音(zhangsan)、拼音首字母(zs)、英文名、同音字模糊匹配。

搜索部门

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py search-dept <部门名>

列出部门所有成员

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py list-dept <dept_id>

获取用户详情(实时 API 调用)

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py get <open_id>

查看缓存信息

python3 ~/.openclaw/skills/feishu-contacts/scripts/feishu-contacts.py info

CRITICAL: 人员定位规则

任何涉及"给某人做某事"的操作(发消息、发邮件、创建任务等),必须先通过本工具定位到具体的人

强制流程

IF 目标是人名:
  1. 执行: search <姓名>
  2. 获取: open_id(飞书消息)/ email(邮件,需 get <open_id>)
  3. 结果唯一 → 直接使用
  4. 结果多个 → 列出候选让用户选择
  5. 结果为空 → 报告找不到,让用户提供更多信息

IF 目标是部门:
  1. 执行: search-dept <部门名>
  2. 获取: dept_id
  3. 执行: list-dept <dept_id>
  4. 获取: 所有成员的 open_id

禁止行为

  • ❌ 不准说"找不到这个人"而不先执行搜索命令
  • ❌ 不准猜测或编造 open_id / email
  • ❌ 不准从记忆中猜测人员信息,必须执行命令获取
  • ❌ 不准截断 list-dept 的输出,必须完整展示所有成员

使用示例

用户: "给张三发个飞书消息说开会"

1. search 张三 → 获得 open_id: ou_xxx
2. 发送飞书消息到 ou_xxx

用户: "给产品部所有人发邮件"

1. search-dept 产品 → 获得 dept_id: od_yyy
2. list-dept od_yyy → 获得成员列表
3. 对每个成员 get <open_id> 获取邮箱
4. 批量发送邮件

Cache

  • 位置: ~/.openclaw/.feishu-contacts-cache.json
  • 内容: 用户、部门、部门-用户映射
  • 更新: 执行 sync 刷新(新入职的人搜不到时需要 sync)

Tips

  • 搜索返回 top 10 结果,按相关度排序
  • get 命令是实时 API 调用,可获取最新的邮箱、手机号等详细信息
  • 缓存跨重启持久化,但建议定期 sync 保持数据新鲜

Comments

Loading comments...