ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-doc-editor

Feishu document creation and editing operations using OpenAPI. Activate when user needs to create, edit, or read Feishu documents programmatically.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 878 · 9 current installs · 10 all-time installs
bytoken@zhuligu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (Feishu document create/edit via OpenAPI) match the included SKILL.md and reference docs. However, the skill metadata declares no required environment variables or primary credential even though all runtime examples require an app_id/app_secret (to obtain tenant_access_token) or an existing tenant_access_token. That missing declaration is an incoherence: a Feishu API integration legitimately needs credentials but the skill metadata does not request them.
Instruction Scope
SKILL.md and the reference files contain concrete, scoped instructions for obtaining a tenant_access_token, calling Feishu doc APIs (create/read/update/delete blocks), and configuring app/document permissions. The instructions do not direct the agent to read unrelated system files or call external endpoints beyond open.feishu.cn. However, examples and debug snippets write logs (e.g., /tmp/feishu_api_errors.log) and show printing token values — these examples could lead to accidental secret exposure if adopted as-is.
Install Mechanism
Instruction-only skill with no install spec and no code files to be executed or downloaded. This minimizes install-time risk.
!
Credentials
The skill requires sensitive credentials at runtime (app_id/app_secret or a tenant_access_token) but the registry metadata lists no required env vars or primary credential. The reference scripts use variables like APP_ID, APP_SECRET, TOKEN and suggest storing/printing them. Absence of declared credential requirements is disproportionate and misleading; users need to know what secrets they must supply and how the skill will handle them.
Persistence & Privilege
always is false, no install actions, and the skill does not request persistent system privileges or change other skills' configs. There is no evidence it attempts to persist itself or gain elevated privileges.
What to consider before installing
This skill appears to be a legitimate Feishu doc API guide, but its metadata omits the fact that you must supply app credentials. Before installing or using it: (1) expect to provide sensitive values (app_id/app_secret) or a tenant_access_token — do not paste these into public chats; (2) review any scripts you run so they don't print or log full tokens (examples log to /tmp and echo tokens); (3) follow least-privilege: create an app with only the required doc permissions and limit its scope; (4) prefer generating a tenant_access_token at runtime (short-lived) and avoid storing permanent secrets in plaintext; (5) if you need offline/manual verification, confirm how the agent will accept credentials (environment variables, direct input, or other) — the skill metadata should be updated to declare required env vars before you rely on it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973ntxpew2vjx9m7mjj0j7nrd8171py

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Document Editor Skill

This skill provides comprehensive guidance for creating and editing Feishu documents using the Feishu OpenAPI.

Prerequisites

1. App Creation and Configuration

Create enterprise self-built app: Login to Feishu Open Platform, create an app and add "Bot" capability.

Apply for API permissions: In "Permission Management", apply for the following permissions:

  • Document editing: docx:document:write_only
  • Document viewing: docx:document:readonly

Publish app: Submit version and publish, ensuring the app coverage includes target users/departments.

2. Get Access Token

Call the self-built app get tenant_access_token interface:

curl -X POST https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal \
  -H "Content-Type: application/json" \
  -d '{"app_id": "your_app_id", "app_secret": "your_app_secret"}'

Response example:

{
  "code": 0,
  "tenant_access_token": "t-xxx",
  "expire": 7200
}

Core Operations

Extract Document ID

Get document_id from document URL:

Example URL: https://bigdatacenter.feishu.cn/docx/HpK2dtGu9omhMAxV12zcB6i7ngd

document_id = HpK2dtGu9omhMAxV12zcB6i7ngd

Grant App Document Permission

Manually add collaborator:

  • Open document in Feishu client → Click "..." in top right → "More" → "Add document app"
  • Search and add your app, grant "Can edit" permission.

Write Text Content

Interface: Create Block

  • Path parameters: document_id = document ID, block_id = document ID (root node is the document itself)

  • Request headers:

    Authorization: Bearer {tenant_access_token}
Content-Type: application/json

  • Request body example (write "hello"):

    {
  "index": -1,
  "children": [
    {
      "block_type": 2,
      "text": {
        "elements": [
          {
            "text_run": {
              "content": "hello"
            }
          }
        ]
      }
    }
  ]
}

Read Document Content

Interface: Get Document Plain Text

curl -X GET "https://open.feishu.cn/open-apis/docx/v1/documents/{document_id}/plaintext" \
  -H "Authorization: Bearer {tenant_access_token}"

Response example:

{
  "code": 0,
  "data": {
    "content": "Document text content here"
  }
}

Common Issues

1. Permission Error (403 Forbidden)

  • Diagnosis: App not added as document collaborator, or tenant_access_token is invalid.
  • Solution: Re-add app as collaborator, or re-get tenant_access_token.

2. Missing Access Token (99991661)

  • Diagnosis: Request header does not carry Authorization: Bearer {token}.
  • Solution: Ensure tenant_access_token is correctly added to request header.

3. Document Not Found (404 Not Found)

  • Diagnosis: document_id is incorrect or document has been deleted.
  • Solution: Re-extract document_id from document URL.

Reference Documentation

  • Create Block Interface
  • Get Document Plain Text Interface
  • Permission Configuration Guide

Through the above steps, you can achieve editing Feishu documents via API, supporting add/delete/modify/query operations for multiple content types including text, tables, and images.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…