Feishu Bitable API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Feishu Bitable CRUD integration, but it needs Feishu app credentials and can modify or delete Bitable data.
Install this only if you want Clawdbot to manage Feishu Bitable data. Use least-privilege Feishu app credentials, store secrets securely, verify the npm package/dependencies, and require confirmation before delete, update, batch, or @file import operations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using these credentials can access and modify Feishu Bitable data allowed by the Feishu app's scopes.
The skill needs Feishu app credentials and read/write Bitable permissions. That is expected for the stated API purpose, but these credentials authorize account data access and mutation.
requires":{"env":["FEISHU_APP_ID","FEISHU_APP_SECRET"]} ... 应用需要具备`bitable:record:readonly`和`bitable:record:write`权限Use a dedicated Feishu app with the minimum required scopes, store the secret outside chat, and rotate it if it may have been exposed.
A mistaken or overbroad delete/update request could remove or alter Feishu Bitable records or tables.
The documented API surface includes deleting tables and records, including batch deletes. This is purpose-aligned for a CRUD skill but can cause business data loss if invoked incorrectly.
DELETE /bitable/v1/apps/{app_token}/tables/{table_id} ... DELETE /bitable/v1/apps/{app_token}/tables/{table_id}/records/{record_id} ... records/batch_deleteRequire explicit user confirmation for delete, update, and batch operations, and test on a non-production Bitable first.
If the wrong JSON file is selected, its contents could be imported into or sent to Feishu Bitable.
The CLI supports @file inputs and reads local JSON files for table or record data. This is useful and documented, but selected file contents may be sent to Feishu in create/update/batch operations.
if (typeof input === 'string' && input.startsWith('@')) { ... const content = fs.readFileSync(filePath, 'utf8'); return JSON.parse(content); }Only use @file with intended import files, avoid pointing it at secrets or private exports, and review file contents before running create/update commands.
Installing the skill may install third-party npm packages needed by the CLI.
The skill relies on npm dependencies. This is normal for a Node CLI integration, and a package-lock is included, but installation still depends on external package provenance.
"dependencies": { "axios": "^1.6.0", "commander": "^11.1.0", "dotenv": "^16.3.0" }Install from a trusted package copy, keep the lockfile, and review dependency changes before upgrading.