ClawHub

Lark/Feishu Sheets & Cloud File Download (with PDF extraction)

v1.3.1

Read, write and manage Lark/Feishu Sheets (spreadsheets) and download Lark/Feishu cloud files via Lark OpenAPI. Reads Feishu app credentials (appId/appSecret...

0· 218·0 current·0 all-time
by@mli-cj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the scripts implement Sheets read/write and Drive file download using Feishu/Lark OpenAPI. The scripts expect appId/appSecret in ~/.openclaw/openclaw.json (or via OPENCLAW_CONFIG), which is a reasonable way to authenticate for these APIs.
Instruction Scope
SKILL.md and the included scripts limit actions to reading the OpenClaw config, fetching tenant tokens, calling Feishu/Lark API endpoints, downloading files, extracting PDF text/images, and writing user-specified output files. I found no instructions to read unrelated system files or send data to external endpoints beyond the official OpenAPI hosts.
Install Mechanism
This is an instruction-only skill (no install spec). The scripts auto-install Python packages (pdfplumber, pypdf, pymupdf, etc.) using pip at runtime if missing. Auto-installing packages from PyPI is expected for PDF extraction but does modify the environment and requires network access to PyPI; consider running in an isolated virtualenv if undesirable.
Credentials
The skill does not request unrelated credentials or environment variables. It reads appId/appSecret from the documented OpenClaw config path (or OPENCLAW_CONFIG). That access is required to obtain API tokens for the listed functionality and is proportionate to the stated purpose.
Persistence & Privilege
The skill is user-invocable, not forced (always: false), and does not attempt to modify other skills or system-wide agent settings. It writes only to user-specified output paths (and creates support directories for extraction). Autonomous invocation is allowed by platform default but is not combined with elevated/hidden privileges here.
Assessment
This skill is internally coherent with its description, but note a few practical safety points before installing/using it: (1) The code reads your Feishu/Lark appId and appSecret from ~/.openclaw/openclaw.json (or the OPENCLAW_CONFIG path) — those credentials will be used to fetch tenant tokens and call the official OpenAPI; only provide credentials you intend the skill to use. (2) The scripts auto-install Python PDF libraries from PyPI on first use; if you prefer, run them inside a virtualenv or container to avoid modifying your system Python environment. (3) The tool will download files to paths you supply and may create image/text output directories; review and choose output paths carefully. (4) The skill source and homepage are not provided in registry metadata — if you need stronger provenance guarantees, review the included scripts yourself or only install from a trusted source. (5) If you have sensitive credentials in your OpenClaw config that you do not want available to third-party code, consider creating a dedicated Feishu app with minimal scopes and rotating credentials after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756173r4fk32ptp6n14jb9hh835h33

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
Binspython3

Comments