ClawHub

feishu-message

Unified CLI toolkit for Feishu messaging tasks including fetching messages, sending audio, creating group chats, and listing pinned messages.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.3k · 13 current installs · 14 all-time installs
by@autogame-17
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Feishu messaging CLI) matches the included scripts: get, send-audio, create-chat, list-pins, etc. However, the registry metadata declares no required env vars or credentials while the code clearly requires FEISHU_APP_ID and FEISHU_APP_SECRET (and uses the Lark/Feishu SDK and HTTP APIs). Also index.js proxies to a sibling skill ('../feishu-post/send.js') that is not declared in metadata. These omissions are inconsistent with the stated purpose.
!
Instruction Scope
SKILL.md instructs running index.js and subcommands, which is consistent. But the runtime instructions (the code) load environment from ../../.env via dotenv, write a token cache at '../../memory/feishu_token.json', and spawn sibling scripts (../feishu-post/send.js). Reading a repository/root .env two directories up is broader than the skill's stated scope and can expose unrelated secrets. The skill also assumes presence of other skills/files (feishu-post) without declaring that dependency.
Install Mechanism
There is no install spec (instruction-only), which lowers installer risk. However, package.json/package-lock.json are present and list many dependencies (including @larksuiteoapi/node-sdk, axios, music-metadata). The lack of an install step is inconsistent — the code requires node modules but the registry metadata provides no guidance for installing them. This mismatch can lead to runtime failures or ad-hoc manual installs.
!
Credentials
The skill metadata declares no required env vars or primary credential, but multiple scripts require FEISHU_APP_ID and FEISHU_APP_SECRET and use dotenv to load ../../.env (an undeclared config path). These are sensitive organization-level credentials; requesting or implicitly loading them should have been declared. The skill also caches tenant access tokens to ../../memory/feishu_token.json (writes to disk). The scope of env/config access is broader than the metadata indicates.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does write a token cache file within a relative memory path and spawns child processes, but it does not modify other skills' configurations or request persistent 'always' presence. No direct privilege escalation is observed.
What to consider before installing
This package contains working scripts for Feishu (Lark) messaging, but the metadata omits important details. Before installing or running it: 1) Do not run it in a production environment with real org credentials yet — the code expects FEISHU_APP_ID and FEISHU_APP_SECRET. 2) Inspect the ../../.env file it will load (relative to the skill) — it will load full dotenv contents two directories up, which may include unrelated secrets; avoid placing your real .env there. 3) Note it writes a token cache to '../../memory/feishu_token.json' (it will create or overwrite that path). 4) The index spawns ../feishu-post/send.js — verify that sibling skill/script is trustworthy or present; otherwise the send subcommand may fail or execute unexpected code. 5) Because there is no install spec, you will likely need to run npm install yourself; review package-lock for third-party deps. 6) If you plan to use this, prefer running it in an isolated environment (throwaway account or container) and explicitly set only the minimal Feishu app credentials the tool needs. 7) Ask the author to update registry metadata to declare required env vars and config paths and to remove implicit ../../.env loading or make the config path configurable — that will make the skill's behavior coherent and safer.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.5
Download zip
latestvk9715zes1cmfgvcf3v5pftgfk1814ek2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Message Skill

A unified toolkit for Feishu messaging operations, providing a single CLI entry point for common tasks.

Usage

Use the unified CLI via index.js:

node skills/feishu-message/index.js <command> [options]

Commands

1. Get Message (get)

Fetch message content by ID. Supports recursive fetching for merged messages.

node skills/feishu-message/index.js get <message_id> [--raw] [--recursive]

Example:

node skills/feishu-message/index.js get om_12345 --recursive

2. Send Audio (send-audio)

Send an audio file as a voice bubble.

node skills/feishu-message/index.js send-audio --target <id> --file <path> [--duration <ms>]
  • --target: User OpenID (ou_) or ChatID (oc_).
  • --file: Path to audio file (mp3/wav/etc).
  • --duration: (Optional) Duration in ms.

3. Create Group Chat (create-chat)

Create a new group chat with specified users.

node skills/feishu-message/index.js create-chat --name "Project Alpha" --users "ou_1" "ou_2" --desc "Description"

4. List Pins (list-pins)

List pinned messages in a chat.

node skills/feishu-message/index.js list-pins <chat_id>

Legacy Scripts

Standalone scripts are still available for backward compatibility:

  • get.js
  • send-audio.js
  • create_chat.js
  • list_pins_v2.js

Dependencies

  • axios
  • form-data
  • music-metadata
  • commander

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…