ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Feishu Doc

v1.0.0

Guide for OpenClaw agents to create, read, and edit Feishu/Lark documents via API. Use when: (1) creating a new Feishu doc and writing content, (2) reading a...

0· 87·0 current·0 all-time
by@jmin1113

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jmin1113/agent-feishu-doc.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Agent Feishu Doc" (jmin1113/agent-feishu-doc) from ClawHub.
Skill page: https://clawhub.ai/jmin1113/agent-feishu-doc
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agent-feishu-doc

ClawHub CLI

Package manager switcher

npx clawhub@latest install agent-feishu-doc
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description matches Feishu document operations, but the included references/guide explicitly shows use of an app_id/app_secret and tenant_access_token (and instructs placing app credentials in ~/.openclaw/openclaw.json). The skill metadata declares no required credentials or primaryEnv; this mismatch is not proportional to the stated manifest and is an omission that affects security decisions.
!
Instruction Scope
SKILL.md and references/guide.md instruct the agent to (a) set documents to public/anyone_editable, (b) use web_fetch on feishu doc links, and (c) change openclaw.json to enable tools.sessions.visibility = "all" and restart the gateway. Enabling cross-agent session visibility and making docs publicly editable are outside narrow 'create/read/edit a doc' semantics because they broaden data exposure across agents and external users.
Install Mechanism
Instruction-only skill with no install spec or code files. No binaries, downloads, or package installs — low install risk.
!
Credentials
The guidance requires Feishu app credentials (app_id/app_secret → tenant_access_token) but the skill metadata lists no required environment variables or primary credential. Also it tells users to store secrets in openclaw.json. Requesting/using these secrets is reasonable for the operation, but failing to declare them in metadata is an incoherence and prevents automated vetting of the skill's credential needs.
!
Persistence & Privilege
always is false (good), but the instructions explicitly tell operators to change agent configuration (openclaw.json) to make sessions.visible to all agents. That increases the platform blast radius — a privilege/visibility change that should be flagged and intentionally authorized by administrators, not performed automatically by an agent.
What to consider before installing
This guide appears to implement correct Feishu API calls, but there are three things to consider before installing/using it: 1) Missing credential declaration: The docs require a Feishu app_id and app_secret (to obtain a tenant_access_token), but the skill metadata does not declare any required credentials. Ask the publisher to explicitly list the required env vars/primary credential. Treat app_secret like any secret: store it only in a secure location and rotate if reused. 2) Public docs and cross-agent visibility are risky: The instructions recommend setting docs to "anyone_editable" and enabling tools.sessions.visibility="all" in openclaw.json. Both actions increase exposure — they may leak sensitive content to other agents or external users. Prefer granting the agent's app collaborator access to specific docs or using least-privilege share links instead of global public-edit settings. Only enable sessions.visibility across agents if you understand and accept the privacy implications. 3) Operational best practices: Use a dedicated Feishu bot/tenant with minimal permissions for automation, limit token lifetime, avoid making sensitive documents public, and review openclaw.json changes with an administrator. If you need higher assurance, request the publisher to (a) declare required credentials in the skill metadata, (b) provide a changelog or provenance for the guide, and (c) avoid instructing blanket config changes in guidance — prefer documenting manual, well-scoped steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xaazyd9wqajy5dee8ayqv1844knj
87downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@jmin1113
latest
Download

Agent Feishu Doc Guide

Quick Reference

OperationAPI Endpoint
Create docPOST /drive/v1/documents
Get doc metadataGET /drive/v1/documents/{id}
Get doc blocksGET /drive/v1/documents/{id}/blocks
Add blocksPOST /drive/v1/documents/{id}/blocks/{parent_id}/children
Set public permPATCH /drive/v1/permissions/{id}/public?type=docx

Workflow

1. Create Document

curl -X POST "https://open.feishu.cn/open-apis/drive/v1/documents" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{"title": "文档标题"}'

2. Write Content (Block API)

curl -X POST "https://open.feishu.cn/open-apis/drive/v1/documents/{doc_id}/blocks/{block_id}/children" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{"children": [{"block_type": 2, "text": {"elements": [{"text_run": {"content": "内容"}}]}}]}'

Block types: 2=text, 3=h1, 4=h2, 7=bullet (⚠️ may error, use text instead)

3. Set Public Permissions

curl -X PATCH "https://open.feishu.cn/open-apis/drive/v1/permissions/{doc_id}/public?type=docx" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "link_share_entity": "anyone_editable",
    "external_access_entity": "anyone_can_edit",
    "security_entity": "anyone_can_edit",
    "comment_entity": "anyone_can_edit",
    "share_entity": "anyone"
  }'

Reading Docs

  • By URL: Use web_fetch tool on https://feishu.cn/docx/{doc_id}
  • By ID: Call GET /drive/v1/documents/{id} then /blocks

Prerequisites

  1. Agent's Feishu app must be added as doc collaborator, OR doc set to public
  2. For cross-agent collaboration: set tools.sessions.visibility: "all" in openclaw.json

Troubleshooting

  • Cannot access doc: Add agent's app as collaborator in Feishu, or set doc to public
  • Block API error 9499: Avoid block_type: 7 (bullet), use plain text blocks instead
  • Cross-agent visibility: Add "tools": {"sessions": {"visibility": "all"}} to openclaw.json

For detailed API specs, permissions guide, and example workflows, see references/guide.md.

Comments

Loading comments...