ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Sheets (Fixed)

v1.0.1

Feishu online spreadsheet (Sheets) operations including create, read, write, append data, manage worksheets. Use when user mentions Feishu Sheets, online spr...

0· 204·0 current·0 all-time
byKnight Ni@knight-ni·fork of @wesley138cn/feishu-sheets-skill·canonical: @wesley138cn/feishu-sheets

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for knight-ni/feishu-sheets-fixed.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Feishu Sheets (Fixed)" (knight-ni/feishu-sheets-fixed) from ClawHub.
Skill page: https://clawhub.ai/knight-ni/feishu-sheets-fixed
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feishu-sheets-fixed

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-sheets-fixed
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide Feishu Sheets operations and the included Python client implements those APIs — that part is coherent. However the registry metadata declares no required environment variables or primary credential, while the code clearly requires FEISHU_APP_ID and FEISHU_APP_SECRET (to obtain a tenant_access_token). Additionally, package metadata (_meta.json) and registry metadata (ownerId/slug/version) are inconsistent, which raises supply-chain/trust concerns.
!
Instruction Scope
SKILL.md documents the actions and API endpoints but does not instruct how to provide the required app credentials or tenant token; it also provides slightly different guidance for append/write endpoints compared to the bundled references and code. The run-time instructions therefore omit authentication setup that the code will perform by reading environment variables, creating an operational gap and potential confusion.
Install Mechanism
This is an instruction-only skill with an included Python script; there is no install spec (no dependencies or packaging). That lowers installer risk (nothing is downloaded at install time), but the script depends on the 'requests' library and expects to be executable as a CLI. The lack of install/dependency declaration may cause runtime failure and makes reproducibility unclear rather than introducing direct malicious risk.
!
Credentials
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET (to call the Feishu internal auth API and obtain a tenant_access_token). Those credentials are appropriate for the stated purpose, but the skill metadata does not declare them (no required env vars, no primary credential). This mismatch is significant: a user installing the skill might not realize they must provide sensitive app credentials, and the skill will read them from environment variables without explicit disclosure in the registry metadata.
Persistence & Privilege
The skill is not always-included and does not request any elevated platform privileges. It does not modify other skills' configs and does not request persistent presence beyond normal operation.
What to consider before installing
This package implements a Feishu Sheets client and will call Feishu's APIs, but it has three red flags you should address before installing: 1) Authentication is required but not declared: the Python script reads FEISHU_APP_ID and FEISHU_APP_SECRET from environment variables to obtain a tenant_access_token. The registry metadata lists no required env vars or primary credential. Only provide those app credentials if you trust the skill owner and have isolated the credentials to an app with minimal privileges. 2) Metadata inconsistencies: _meta.json disagrees with the registry metadata (ownerId/slug/version). Confirm who published this skill and that the package you received matches the registry listing — this could be an accidental mispackaging or indicate a supply-chain issue. 3) Documentation vs code mismatches: the SKILL.md, the API reference, and the Python code differ slightly on endpoints for append/write/add-sheet. Test in a safe environment before using on production spreadsheets. Recommended actions: - Ask the publisher to update registry metadata to declare FEISHU_APP_ID and FEISHU_APP_SECRET (and a primary credential) and to fix version/owner inconsistencies. - Limit the Feishu app credentials to the minimum scopes and use a test tenant/app first. - Review the code locally (it is included) and run it in an isolated environment to verify behavior and to ensure it does not exfiltrate data to unexpected endpoints (it contacts only open.feishu.cn in the provided code). - If you cannot verify the publisher or do not want to expose app credentials, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6nnqqsjcpqmptwr2e6bw09837mbq
204downloads
0stars
1versions
Updated 22h ago
v1.0.1
MIT-0
Knight Ni@knight-ni
latest
Download

Feishu Sheets Tool

Single tool feishu_sheets with action parameter for all spreadsheet operations.

Token Extraction

From URL https://xxx.feishu.cn/sheets/shtABC123spreadsheet_token = shtABC123

Actions

Create Spreadsheet

{ "action": "create", "title": "New Spreadsheet" }

Optional folder:

{ "action": "create", "title": "New Spreadsheet", "folder_token": "fldcnXXX" }

Returns: spreadsheet_token, url, title

Write Values

{
  "action": "write",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx",
  "range": "A1:C3",
  "values": [["Name", "Age", "City"], ["Alice", 25, "Beijing"], ["Bob", 30, "Shanghai"]]
}

Read Values

{
  "action": "read",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx",
  "range": "A1:C10"
}

Append Values

{
  "action": "append",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx",
  "values": [["Charlie", 28, "Shenzhen"]]
}

Insert Rows/Columns

{
  "action": "insert_dimension",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx",
  "dimension": "ROWS",
  "start_index": 5,
  "end_index": 7
}

Delete Rows/Columns

{
  "action": "delete_dimension",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx",
  "dimension": "ROWS",
  "start_index": 5,
  "end_index": 7
}

Get Spreadsheet Info

{ "action": "get_info", "spreadsheet_token": "shtABC123" }

Returns: metadata including all sheet_ids and titles

Add Worksheet

{
  "action": "add_sheet",
  "spreadsheet_token": "shtABC123",
  "title": "Sheet2"
}

Delete Worksheet

{
  "action": "delete_sheet",
  "spreadsheet_token": "shtABC123",
  "sheet_id": "0bxxxx"
}

Range Format

  • Cell: A1, B5
  • Range: A1:C10, B2:D5
  • Entire column: A:A, B:D
  • Entire row: 1:1, 3:5
  • With sheet_id: 0bxxxx!A1:C10

Sheet ID

  • From URL: https://xxx.feishu.cn/sheets/shtABC123?sheet=0bxxxx
  • From get_info action
  • Default first sheet often has simple id like 0bxxxx

Data Types

Values can be:

  • String: "Hello"
  • Number: 123, 45.67
  • Formula: {"type": "formula", "text": "=SUM(A1:A10)"}
  • Link: {"type": "url", "text": "Click here", "link": "https://..."}

Configuration

channels:
  feishu:
    tools:
      sheets: true  # default: true

Permissions Required

  • sheets:spreadsheet - Create and manage spreadsheets
  • sheets:spreadsheet:readonly - Read spreadsheet data
  • drive:drive - Access cloud storage

API Reference

Base URL: https://open.feishu.cn/open-apis/sheets/v2/spreadsheets/

See references/api-reference.md for detailed API documentation.

Comments

Loading comments...