飞书云盘助手
v1.1.5基于飞书官方 API 的云盘管理技能,支持文件列表查询、上传、下载、文件夹创建、权限管理、文件搜索、统计信息、快捷方式、复制移动等完整功能。参考 feishu-drive 技能开发,修复了原技能中的 API 调用错误,并新增了自动化权限管理功能。
⭐ 0· 126·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (python3/pip3), required env vars (FEISHU_APP_ID, FEISHU_APP_SECRET), and the included Python client all align with a cloud-drive management skill. The code calls only Feishu (open.feishu.cn) endpoints and implements listed features (list/upload/download/folders/permissions).
Instruction Scope
SKILL.md's runtime instructions stay within the Drive management scope and instruct installing 'requests', setting credentials, and using the client. Two minor issues: (1) SKILL.md suggests an optional FEISHU_ROOT_FOLDER_TOKEN environment variable (used by examples) but this optional var is not listed in the declared required envs; (2) there are small doc/code mismatches (e.g., use of 'user_id' vs 'open_id' field names in user lookup/permission flows and some comments about which v2 parameters are supported). These are implementation bugs/ambiguities rather than indicators of extraneous data collection.
Install Mechanism
This is effectively an instruction-only skill with a Python client file; dependency installation is limited to pip installing 'requests' (a common, traceable package). No arbitrary downloads, URL shorteners, or archive extraction are used in the provided artifacts.
Credentials
Only FEISHU_APP_ID and FEISHU_APP_SECRET are required (FEISHU_APP_SECRET is the primary credential). The skill does not request unrelated secrets or multiple external credentials. The optional FEISHU_ROOT_FOLDER_TOKEN is used for convenience in examples but is not required.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It caches tenant_access_token in the client instance (in-memory) which is normal; it does not modify other skill configurations or require persistent system-level changes.
Scan Findings in Context
[no_findings] expected: Static pre-scan reported no suspicious regex matches. This is consistent with the skill being a normal API client. Absence of findings is not proof of safety—manual review notes minor doc/code mismatches described above.
Assessment
This skill appears to do what it says: a Feishu Drive client implemented in Python. Before installing or using it, you should: 1) review feishu_drive_client.py yourself (especially permission-related methods) and test in a non-production environment; 2) provide only the minimum Feishu app permissions required and use a dedicated test app if possible; 3) manage FEISHU_APP_SECRET securely (do not embed in code or repos) and rotate it if exposed; 4) be aware SKILL.md references an optional FEISHU_ROOT_FOLDER_TOKEN (not declared as required) and there are small field-name mismatches (user_id/open_id) you may want to validate against the Feishu API in your tenant.Like a lobster shell, security has layers — review code before you run it.
latestvk970sexb8rdmmdzx9k56hqshqx83e3d5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, pip3
EnvFEISHU_APP_ID, FEISHU_APP_SECRET
Primary envFEISHU_APP_SECRET