乐荐飞书表格
ReviewAudited by ClawScan on May 4, 2026.
Overview
This appears to be a disclosed Feishu Sheets integration, but it needs Feishu app credentials and can edit spreadsheets, so permissions and write actions should be reviewed.
Install only if you trust the publisher and need Feishu Sheets automation. Configure a minimal-permission Feishu app, share only the spreadsheets you intend to automate, set OPENCLAW_CONFIG to the correct local config file, and confirm any write/delete/replace-style operation before it runs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with a broadly shared or over-permissioned Feishu app, the skill may be able to read or change spreadsheets available to that app.
The skill requires Feishu app credentials and spreadsheet permission, giving delegated access to Feishu Sheets. This is expected for the integration, but it is sensitive account authority.
需要飞书应用凭证:channels.feishu.appId 和 channels.feishu.appSecret ... 飞书应用需开通 sheets:spreadsheet 权限。建议使用仅含表格权限的最小化飞书应用。
Use a dedicated Feishu app with only the minimum Sheets permissions, share only intended spreadsheets with it, and rotate the app secret if it may have been exposed.
A mistaken token, sheet ID, range, or command could overwrite or append data in the wrong spreadsheet.
The wrapper can directly write values to Feishu spreadsheets through the API. This is purpose-aligned, but it is mutation authority over user/account data.
api_call PUT "/sheets/v2/spreadsheets/$1/values" -d "$body"
Review spreadsheet tokens, ranges, and values before allowing write, replace, merge, delete, or other modifying operations to run.
Install-time metadata may not fully warn users that a Feishu credential/config setup is required.
The registry-level requirement fields say no env vars or primary credential, while the capability signals and skill/package content show sensitive Feishu credentials are needed. This is an under-declared metadata issue, not hidden behavior in the docs.
Required env vars: none ... Primary credential: none ... Capability signals: requires-oauth-token; requires-sensitive-credentials
Update registry metadata to declare OPENCLAW_CONFIG and the required Feishu app ID/app secret so users get an accurate permission prompt.